Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
bert hubert <bert.hubert@netherlabs.nl> Wed, 23 July 2008 18:47 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 975303A6876; Wed, 23 Jul 2008 11:47:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.514
X-Spam-Level:
X-Spam-Status: No, score=-103.514 tagged_above=-999 required=5 tests=[AWL=3.085, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ZIryHMjSuQm; Wed, 23 Jul 2008 11:47:26 -0700 (PDT)
Received: from psg.com (psg.com [147.28.0.62]) by core3.amsl.com (Postfix) with ESMTP id 067F63A6AE2; Wed, 23 Jul 2008 11:47:24 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KLjBe-000BUv-SM for namedroppers-data@psg.com; Wed, 23 Jul 2008 18:35:42 +0000
Received: from [82.93.240.211] (helo=adsl-xs4all.ds9a.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <ahu@outpost.ds9a.nl>) id 1KLjBM-000BUA-Pk for namedroppers@ops.ietf.org; Wed, 23 Jul 2008 18:35:34 +0000
Received: from outpost.ds9a.nl ([85.17.220.215] ident=postfix) by adsl-xs4all.ds9a.nl with esmtp (Exim 4.63) (envelope-from <ahu@outpost.ds9a.nl>) id 1KLj8G-0004yM-Ve for namedroppers@ops.ietf.org; Wed, 23 Jul 2008 20:32:13 +0200
Received: by outpost.ds9a.nl (Postfix, from userid 1000) id 9209B4B44E; Wed, 23 Jul 2008 20:32:27 +0200 (CEST)
Date: Wed, 23 Jul 2008 20:32:27 +0200
From: bert hubert <bert.hubert@netherlabs.nl>
To: David Conrad <drc@virtualized.org>
Cc: Ben Laurie <ben@links.org>, DNSEXT WG <namedroppers@ops.ietf.org>
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Message-ID: <20080723183227.GA11957@outpost.ds9a.nl>
References: <48875934.8080101@links.org> <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org>
User-Agent: Mutt/1.5.9i
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
On Wed, Jul 23, 2008 at 10:25:23AM -0700, David Conrad wrote: > Actually, I suspect not, since I would guess this event has increased > the number of dnscache sites out there. And PowerDNS (also unaffected > by the vulnerability as I understand it) doesn't support DNSSEC > either, right? Correct - my reasoning can be found on http://ds9a.nl/dnssec/index.html#id2467146 Some older stuff: http://ds9a.nl/secure-dns.html DNS is part of the long chain from a named service to a physical server: 1) ARP to find the hardware serving the router/nameserver IP 2) DNS to find the server IP 3) BGP to find the link to the destination AS 4) (TCP/)IP to the actual server 5) Content Everybody who really cares about information security handles it in the application that deals with the content, and is close to the user. All the steps underneath have traditionally been plaintext, and have only been hardened enough to be secure enough that casual tampering is ruled out. Because we use real crypto for our important content anyhow, crypto that does authentication, this is not a problem. 1) ARPSEC has been proposed, but never went anywhere. Switches implement port security measures. 2) DNS has been hardened using random source ports 3) BGP has suffered the MD5 scare, and has now been hardened using TTL-checks to keep out strangers 4) TCP/IP has been hardened by making sure everybody uses unpredictable sequence numbers. You can see where this is going. DNSSEC would be the most complex protocol ever deployed on such a scale on the internet [1], with far reaching administrative and computational consequences for everybody, yet it would sit all the way down there in the stack. I wouldn't put any faith in secure DNS alone. So - DNS needs only to be strong enough to not be easily subverted in the process of transporting plaintext unauthenticated data. This puts an upper bound on the overhead (financial, technical and administrative) that we should commit to DNS security. And I firmly believe some simple measures will bring DNS to the required level of robustness against tampering, and that these simple measures will fit in the the 'overhead budget' mentioned above. [2] I also firmly believe DNSSEC will impose an order of magnitude more hassle than the world is willing to bear. Bert [1] The telephony world beats us hands down though. Think H.323 or SS7. [2] EDNS PING extra entropy, with gradual fallback to TCP to be introduced to give everybody the opportunity to deploy. Fallback to TCP in case of a single question-response {id,source-port} mismatch might even be enough! -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- How do we get the whole world to upgrade to DNSSE… Ben Laurie
- Re: How do we get the whole world to upgrade to D… Alex Bligh
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… Ted Lemon
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… Brian Dickson
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Jelte Jansen
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Brian Dickson
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Andrew Sullivan
- Re: How do we get the whole world to upgrade to D… Jelte Jansen
- Re: How do we get the whole world to upgrade to D… Roy Arends
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Stephane Bortzmeyer
- Re: How do we get the whole world to upgrade to D… Brian Dickson
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Matthijs Mekking
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… bmanning
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- RE: How do we get the whole world to upgrade to D… Alex Bligh
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- RE: How do we get the whole world to upgrade to D… Alex Bligh
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- Re: How do we get the whole world to upgrade to D… Jelte Jansen
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Michael StJohns
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Tony Finch
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Edward Lewis
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Dean Anderson
- Re: How do we get the whole world to upgrade to D… Ray.Bellis
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… David W. Hankins
- Re: How do we get the whole world to upgrade to D… Jim Fenton
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Ted Lemon
- Re: How do we get the whole world to upgrade to D… Ted Lemon
- Re: How do we get the whole world to upgrade to D… Duane at e164 dot org
- Re: How do we get the whole world to upgrade to D… Paul Vixie
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Alex Bligh
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Duane at e164 dot org
- Re: Kaminsky, Cache Poisoning, and Censorship Brian Dickson
- A note of apology (Was: Kaminsky, Cache Poisoning… Andrew Sullivan
- Re: Kaminsky, Cache Poisoning, and Censorship Dean Anderson
- Kaminsky, Cache Poisoning, and Censorship Dean Anderson
- Re: A note of apology (Was: Kaminsky, Cache Poiso… Dean Anderson