IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

David Conrad <drc@virtualized.org> Mon, 11 August 2008 20:08 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A7FC3A693E; Mon, 11 Aug 2008 13:08:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.677
X-Spam-Level:
X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5 tests=[AWL=-1.140, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qFrcQ76omBCY; Mon, 11 Aug 2008 13:08:33 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4E60C3A6892; Mon, 11 Aug 2008 13:08:33 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KSdcj-0002VO-10 for namedroppers-data@psg.com; Mon, 11 Aug 2008 20:04:13 +0000
Received: from [204.152.189.190] (helo=virtualized.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <drc@virtualized.org>) id 1KSdcf-0002Uv-Dj for namedroppers@ops.ietf.org; Mon, 11 Aug 2008 20:04:11 +0000
Received: from [10.0.1.199] (c-71-198-3-247.hsd1.ca.comcast.net [71.198.3.247]) by virtualized.org (Postfix) with ESMTP id A0C472CCA40; Mon, 11 Aug 2008 13:04:08 -0700 (PDT)
Cc: Namedroppers WG <namedroppers@ops.ietf.org>
Message-Id: <B5457C05-D2EA-4A31-94AB-84807AC62843@virtualized.org>
From: David Conrad <drc@virtualized.org>
To: "Jesper G. Høy" <jesper@jhsoft.com>
In-Reply-To: <021101c8fb13$34634310$9d29c930$@com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v928.1)
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Date: Mon, 11 Aug 2008 13:04:07 -0700
References: <48875934.8080101@links.org> <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org> <20080723183227.GA11957@outpost.ds9a.nl> <028601c8f185$eeb51b90$cc1f52b0$@com> <F64EF155F05968A001280C7B@Ximines.local> <028a01c8f18c$7f6bb620$7e432260$@com> <572015C3F44995F54736D38B@Ximines.local> <029401c8f196$c5822bd0$50868370$@com> <489F0F8E.6020607@gis.net> <021101c8fb13$34634310$9d29c930$@com>
X-Mailer: Apple Mail (2.928.1)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

Jesper,

On Aug 10, 2008, at 11:02 AM, Jesper G. Høy wrote:
> My point was that it doesn't matter that you get the correct IP  
> address
> (signed by DNSSEC) if the bad buy is on the wire.

> In that scenario he can just spoof that IP address and replace web- 
> sites etc. with his own data.


Ignoring for the moment the fact that 134 million (or even 4 billion)  
packets isn't that much anymore (and will be less and less over time),  
the DNS lookup 'wire' is logically distinct from the content 'wire'.   
The ability to "intercept spoof" a DNS response can occur anywhere on  
the DNS lookup 'wire', not only on the content producer/consumer's  
local LAN.  By not protecting the packet content, you open yourself up  
to a distinct set of attackers beyond the local wire.

> Only SSL can protect you here.

As Dan Kaminsky points out: "SSL certs themselves are dependent on the  
DNS".

> I see nothing in the slides that suggest that DNSSEC is the only true
> solution or that rule out other solutions.

Indeed.  DNSSEC may not be the 'only true solution' and there may be  
other solutions.  The vast majority of folks who have burned brain  
cells and stomach lining on DNSSEC could be complete idiots and an  
obvious, complete, lightweight, and architecturally clean solution  
could be staring all of us in the face.  I look forward to reading  
your draft on the topic  (note that I wouldn't consider a solution  
that ignores the risk on the DNS lookup 'wire' complete, but maybe  
that's just me).

I would however note that partly as a result of this latest incident  
of having it pointed out that it is better to protect data content  
than the data channel, the amount of DNS infrastructure out there  
capable of supporting DNSSEC (and the political will to see it  
deployed) has likely taken a very significant jump...

Regards,
-drc


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email