IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

bert hubert <bert.hubert@netherlabs.nl> Wed, 23 July 2008 18:47 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 975303A6876; Wed, 23 Jul 2008 11:47:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.514
X-Spam-Level:
X-Spam-Status: No, score=-103.514 tagged_above=-999 required=5 tests=[AWL=3.085, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ZIryHMjSuQm; Wed, 23 Jul 2008 11:47:26 -0700 (PDT)
Received: from psg.com (psg.com [147.28.0.62]) by core3.amsl.com (Postfix) with ESMTP id 067F63A6AE2; Wed, 23 Jul 2008 11:47:24 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KLjBe-000BUv-SM for namedroppers-data@psg.com; Wed, 23 Jul 2008 18:35:42 +0000
Received: from [82.93.240.211] (helo=adsl-xs4all.ds9a.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <ahu@outpost.ds9a.nl>) id 1KLjBM-000BUA-Pk for namedroppers@ops.ietf.org; Wed, 23 Jul 2008 18:35:34 +0000
Received: from outpost.ds9a.nl ([85.17.220.215] ident=postfix) by adsl-xs4all.ds9a.nl with esmtp (Exim 4.63) (envelope-from <ahu@outpost.ds9a.nl>) id 1KLj8G-0004yM-Ve for namedroppers@ops.ietf.org; Wed, 23 Jul 2008 20:32:13 +0200
Received: by outpost.ds9a.nl (Postfix, from userid 1000) id 9209B4B44E; Wed, 23 Jul 2008 20:32:27 +0200 (CEST)
Date: Wed, 23 Jul 2008 20:32:27 +0200
From: bert hubert <bert.hubert@netherlabs.nl>
To: David Conrad <drc@virtualized.org>
Cc: Ben Laurie <ben@links.org>, DNSEXT WG <namedroppers@ops.ietf.org>
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Message-ID: <20080723183227.GA11957@outpost.ds9a.nl>
References: <48875934.8080101@links.org> <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org>
User-Agent: Mutt/1.5.9i
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

On Wed, Jul 23, 2008 at 10:25:23AM -0700, David Conrad wrote:
> Actually, I suspect not, since I would guess this event has increased  
> the number of dnscache sites out there.  And PowerDNS (also unaffected  
> by the vulnerability as I understand it) doesn't support DNSSEC  
> either, right?

Correct - my reasoning can be found on
http://ds9a.nl/dnssec/index.html#id2467146

Some older stuff: http://ds9a.nl/secure-dns.html

DNS is part of the long chain from a named service to a physical server:

1) ARP to find the hardware serving the router/nameserver IP
2) DNS to find the server IP
3) BGP to find the link to the destination AS
4) (TCP/)IP to the actual server
5) Content

Everybody who really cares about information security handles it in the
application that deals with the content, and is close to the user. All the
steps underneath have traditionally been plaintext, and have only been
hardened enough to be secure enough that casual tampering is ruled out.

Because we use real crypto for our important content anyhow, crypto that
does authentication, this is not a problem.

1) ARPSEC has been proposed, but never went anywhere. Switches implement
port security measures.
2) DNS has been hardened using random source ports
3) BGP has suffered the MD5 scare, and has now been hardened using TTL-checks to keep out
strangers
4) TCP/IP has been hardened by making sure everybody uses unpredictable sequence numbers.

You can see where this is going.

DNSSEC would be the most complex protocol ever deployed on such a scale on
the internet [1], with far reaching administrative and computational
consequences for everybody, yet it would sit all the way down there in the
stack.

I wouldn't put any faith in secure DNS alone.

So - DNS needs only to be strong enough to not be easily subverted in the
process of transporting plaintext unauthenticated data. This puts an upper
bound on the overhead (financial, technical and administrative) that we
should commit to DNS security.

And I firmly believe some simple measures will bring DNS to the required
level of robustness against tampering, and that these simple measures will
fit in the the 'overhead budget' mentioned above. [2]

I also firmly believe DNSSEC will impose an order of magnitude more hassle
than the world is willing to bear.

	Bert

[1] The telephony world beats us hands down though. Think H.323 or SS7.
[2] EDNS PING extra entropy, with gradual fallback to TCP to be introduced
to give everybody the opportunity to deploy. Fallback to TCP in case of a
single question-response {id,source-port} mismatch might even be enough!

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email