IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

Joe Abley <jabley@ca.afilias.info> Fri, 25 July 2008 19:41 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 321033A685F; Fri, 25 Jul 2008 12:41:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.891
X-Spam-Level:
X-Spam-Status: No, score=-0.891 tagged_above=-999 required=5 tests=[AWL=-0.158, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cLUVDo3Ym1Ic; Fri, 25 Jul 2008 12:41:24 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 16E423A67AD; Fri, 25 Jul 2008 12:41:24 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KMT5Y-000AYc-Bt for namedroppers-data@psg.com; Fri, 25 Jul 2008 19:36:28 +0000
Received: from [199.212.90.4] (helo=monster.hopcount.ca) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <jabley@ca.afilias.info>) id 1KMT5T-000AXe-37 for namedroppers@ops.ietf.org; Fri, 25 Jul 2008 19:36:26 +0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=monster; d=ca.afilias.info; h=Received:Cc:Message-Id:From:To:In-Reply-To:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Date:References:X-Mailer; b=h9KZ/yaycOta8s/gB++QylnFr0Ha0hJEwmW13bxUnmt0r//Q4IN3EtgCD0NfNmvnsD1bq5KpW6/Bk0sO8b8NSzQZOBK7zhSrA2darvLF01KyTvcPPsz8PBlh3ljwVimD;
Received: from [199.212.90.13] (helo=calamari.hopcount.ca) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from <jabley@ca.afilias.info>) id 1KMT5L-0009BF-Fv; Fri, 25 Jul 2008 19:36:19 +0000
Cc: Jelte Jansen <jelte@NLnetLabs.nl>, DNSEXT WG <namedroppers@ops.ietf.org>
Message-Id: <BEADC795-3C76-407A-A979-2B0AAACE0328@ca.afilias.info>
From: Joe Abley <jabley@ca.afilias.info>
To: bert hubert <bert.hubert@netherlabs.nl>
In-Reply-To: <20080725193101.GB8193@outpost.ds9a.nl>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v928.1)
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Date: Fri, 25 Jul 2008 15:36:15 -0400
References: <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org> <20080723183227.GA11957@outpost.ds9a.nl> <2FFE6519-7E9C-4DE8-AF69-697A4D875011@nominum.com> <20080723191636.GB32507@outpost.ds9a.nl> <8A91CF57-0CBD-4CF2-BF59-C7D59CB4B7B9@virtualized.org> <20080724060743.GA7420@outpost.ds9a.nl> <48886C4D.4020500@ca.afilias.info> <63C0FFE7-17E6-4ECE-9A12-0537FE2E3F4B@ca.afilias.info> <4888FED2.6060204@NLnetLabs.nl> <E7388E94-D031-4059-91F9-1596A254E21C@ca.afilias.info> <20080725193101.GB8193@outpost.ds9a.nl>
X-Mailer: Apple Mail (2.928.1)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

On 25 Jul 2008, at 15:31, bert hubert wrote:

> On Fri, Jul 25, 2008 at 01:03:05PM -0400, Joe Abley wrote:
>> I think that's wrong. I think that once someone is in the position of
>> being able to meddle with the query/response stream, all bets are off
>> and DNSSEC is no cure.
>
> Wow - sure? I may be no friend of DNSSEC but I always assumed DNSSEC  
> would
> be 'perfect' in this way.
>
> If this is true, it only strenghtens the case that the hassle of  
> DNSSEC
> exceeds its merits by at least an order of magnitude.

I am feeling very ignorant right now, so let nobody take what follows  
as the voice of authority.

Imagine a world in the future in which the root zone is signed, and  
some TLD zones are signed, and some other zones are signed.

It seems to me that a bare validator, freshly started, with no cache  
and no special configuration, knows nothing about what zones in the  
world are secured and which are not.

If such a validator asks a question of a root server, or a TLD server,  
or some other server, and gets back an insecure referral, it seems to  
me the validator has no real way of knowing whether the insecure  
answers are from middleboxes, or direct from real infrastructure that  
happens not to have deployed DNSSEC.

Hand-configuring your validator to tell it "ORG is signed, root is  
signed, don't believe anybody who tells you otherwise" would  
presumably fix that. But replicating such dynamic information by way  
of static configuration in millions of independently-managed resolvers  
doesn't seem very scaleable.

Perhaps it's sufficient just to tell your validator "the root is  
signed, don't believe answers which suggest otherwise". But that  
requires a signed root, and in the mean time DNSSEC isn't providing  
any protection from middleboxes.


Joe

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email