IETF Logo Mail Archive

RE: How do we get the whole world to upgrade to DNSSEC capable resolvers?

Jesper G. Høy <jesper@jhsoft.com> Tue, 29 July 2008 16:26 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 445733A67A3; Tue, 29 Jul 2008 09:26:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.195
X-Spam-Level:
X-Spam-Status: No, score=-0.195 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xtEMNyzXa+Z6; Tue, 29 Jul 2008 09:26:29 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 45A683A67B6; Tue, 29 Jul 2008 09:26:29 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KNrvK-000Jj9-Kx for namedroppers-data@psg.com; Tue, 29 Jul 2008 16:19:42 +0000
Received: from [204.9.75.100] (helo=kansas.jhsoft.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <jesper@jhsoft.com>) id 1KNrvG-000JiM-9t for namedroppers@ops.ietf.org; Tue, 29 Jul 2008 16:19:40 +0000
Received: from hemsen by kansas.jhsoft.com (MDaemon PRO v9.6.2) with ESMTP id md50000105133.msg for <namedroppers@ops.ietf.org>; Tue, 29 Jul 2008 16:19:36 +0000
From: "Jesper G. Høy" <jesper@jhsoft.com>
To: 'Alex Bligh' <alex@alex.org.uk>, namedroppers@ops.ietf.org
References: <48875934.8080101@links.org> <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org> <20080723183227.GA11957@outpost.ds9a.nl> <028601c8f185$eeb51b90$cc1f52b0$@com> <F64EF155F05968A001280C7B@Ximines.local> <028a01c8f18c$7f6bb620$7e432260$@com> <572015C3F44995F54736D38B@Ximines.local>
In-Reply-To: <572015C3F44995F54736D38B@Ximines.local>
Subject: RE: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Date: Tue, 29 Jul 2008 18:18:41 +0200
Message-ID: <029401c8f196$c5822bd0$50868370$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcjxjvPr7hFGfeP7R4u16W54oZM7PwAA/88w
Content-Language: en-us
X-Authenticated-Sender: jesper@jhsoft.com
X-MDRemoteIP: 87.56.149.202
X-Return-Path: jesper@jhsoft.com
X-Envelope-From: jesper@jhsoft.com
X-MDaemon-Deliver-To: namedroppers@ops.ietf.org
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

I agree - and I am not arguing against DNSSEC as a whole.
As I started out saying - "There may be other good reasons to push DNSSEC" - distributing public keys certainly may be one of those.

However, this was in regards to the Kaminsky bug, which is all about carrying IP addresses (A/AAAA RRSets in response Additional section).
So to clarify: DNSSEC doesn't make much difference when the bad guy is on-the-wire - for IP address records.

Without having thought this through, I think resolvers could probably ignore anything else (non A/AAAA RRSets) in the response Additional section - limiting the Kaminsky bug to such records. But that's a different thread...

Carrying IP addresses is still by far the biggest use of DNS.
And I am just not convinced that it is a good idea to apply DNSSEC's complexity to this most fundamental part of our Internet.
I believe a simpler solution stands a much better chance of actually being implemented and used, and therefore is more secure overall.
Especially if such a solution does not require any end-user action other than patching.

Sincerely,
Jesper



> -----Original Message-----
> From: Alex Bligh [mailto:alex@alex.org.uk]
> Sent: Tuesday, July 29, 2008 5:23 PM
> To: Jesper G. Høy; namedroppers@ops.ietf.org
> Cc: Alex Bligh
> Subject: RE: How do we get the whole world to upgrade to DNSSEC capable
> resolvers?
> 
> 
> 
> --On 29 July 2008 17:05:09 +0200 "Jesper G. Høy" <jesper@jhsoft.com>
> wrote:
> 
> > If DNSSEC tell you (signed and secure) that my website is at 1.2.3.4
> -
> > the bad guy on the wire can still intercept and replace all the
> traffic
> > from your browser to 1.2.3.4 and feed his own stuff back to your
> browser
> > appearing to come from 1.2.3.4.
> >
> > Having the correct IP address of my web-server is no guarantee that
> you
> > are actually talking to the right server - when the bad guy is
> > on-the-wire that is.
> 
> Sure, but then that's true of any use of trusted information in an
> insecure manner. DNS doesn't just carry IP addresses, and there's
> nothing
> to prevent one from putting other information (e.g. public keys) in the
> DNS. You mentioned "that's what SSL is for"; it would be equally
> possible
> to secure http (or smtp or whatever) using public keys retrieved over
> DNSSEC to avoid the attack you mention over. Without DNSSEC you need
> some other mechanism of ensuring the public key is correct; whilst
> SSL certificates have got good traction for HTTP, they haven't for
> (e.g.) SMTP.
> 
> This is a useful discussion if only because it shows there are two
> meanings
> of "on the wire attacks" (i.e. attacks to DNS, and attacks based on an
> intercept of the results of the lookups).
> 
> Alex



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email