Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Nicholas Weaver <nweaver@icsi.berkeley.edu> Sat, 14 March 2015 19:44 UTC

Sender: Nicholas Weaver <nweaver@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_4433D9B8-2831-4115-9656-7DBFA72C7C18"; protocol="application/pgp-signature"; micalg="pgp-sha512"
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
In-Reply-To: <5503A412.20602@redbarn.org>
Date: Sat, 14 Mar 2015 12:44:50 -0700
Message-Id: <64FF8B96-F823-41AD-80FD-0006A278F03F@icsi.berkeley.edu>
References: <20150312125913.20188.qmail@cr.yp.to> <3D558422-D5DA-4434-BDED-E752BA353358@flame.org> <m27fulry37.wl%randy@psg.com> <55030A28.8050707@necom830.hpcl.titech.ac.jp> <5503101F.9060205@redbarn.org> <968C470DAC25FB419E0159952F28F0C06DF659F0@MEM0200CP3XF04.ds.irsnet.gov> <00B5D36F-5DFA-46EE-B61B-F5307738A910@icsi.berkeley.edu> <5503A412.20602@redbarn.org>
To: Paul Vixie <paul@redbarn.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/A5ijS3ZuP80kroXZKA20PwSfnl0>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, Nicholas Weaver <nweaver@icsi.berkeley.edu>
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
Precedence: list

> On Mar 13, 2015, at 7:59 PM, Paul Vixie <paul@redbarn.org> wrote:

> >	Nicholas Weaver	Saturday, March 14, 2015 5:07 AM
>> 
>>> ...
>>> 
>>> Overall, unless you are validating on the end host rather than the recursive resolver, DNSSEC does a lot of harm from misconfiguration-DOS, but almost no good.
>> 
> several of us jumped for joy in 2008 when kaminsky showed rdns poisoning to be a trivial exercise, because it finally provided justification for what was at that time 12 years of apparently-wasted effort on DNSSEC.

But it didn't justify DNSSEC, even at the time.

Between actually adding in a bit more entropy in the request through 0x20 and port randomization, and more importantly cleaning up the glue policy for recursive resolvers (which Unbound did), you close the door on off-path attackers: both making races harder AND eliminating the "race until win" property.

In fact, several have viewed the glue policy cleanup which gets to the root cause of the Kaminski problem as detrimental specifically because of the desire to force DNSSEC adoption.

> so we'll keep pushing the crap system we have, uphill all the way, noone loving it, and almost everyone in fact hating it. we've now spent more calendar- and person-years on DNSSEC than was spent on the entire IPv4 protocol suite (including DNS itself) as of 1996 when the DNSSEC effort began. ugly, ugly, ugly.

At which point is it sunk cost fallacy?

"DNS is insecure, live with it" may be the best answer.  Why keep throwing good effort after bad?

It certainly is a hell of a lot better than the DOS attack that is recursive resolver validation which provides almost no meaningful security gain.

If I was Comcast, after the HBO DNSSEC mess-up, on top of previous mess-ups where Comcast inevitably gets the blame, I'd be really really tempted to turn OFF DNSSEC validation.  It has failed.

--
Nicholas Weaver                  it is a tale, told by an idiot,
nweaver@icsi.berkeley.edu                full of sound and fury,
510-666-2903                                 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc

Attachment: signature.asc

Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Colm MacCárthaigh
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Ted Lemon
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Mark Andrews
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Nicholas Weaver
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… David Conrad
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… bert hubert
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… bert hubert
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Ray Bellis
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… bert hubert
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Ray Bellis
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… P Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Michael Sinatra
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Mark Andrews
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Michael Sinatra
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Tony Finch
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Wouters
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Yunhong Gu
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Yunhong Gu
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Michael Sinatra
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Michael Sinatra
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Michael Sinatra
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Wouters
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Olafur Gudmundsson
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Florian Weimer
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Wouters
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Tony Finch
Re: [DNSOP] dnsop-any-notimp violates the DNS sta… Stephane Bortzmeyer
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Edward Lewis
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… bert hubert
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Jared Mauch
[DNSOP] dnsop-any-notimp violates the DNS standar… D. J. Bernstein
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Jared Mauch
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Tony Finch
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Tony Finch
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… David C Lawrence
Re: [DNSOP] dnsop-any-notimp violates the DNS sta… John Levine
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Edward Lewis
[DNSOP] clarification on DNSOP charter Re: [dns-o… Suzanne Woolf
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… D. J. Bernstein
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Darcy Kevin (FCA)
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Darcy Kevin (FCA)
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Tony Finch
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… D. J. Bernstein
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Michael Graff
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Mark Andrews
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Randy Bush
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Masataka Ohta
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Wouters
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Morizot Timothy S
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Wouters
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… David Conrad
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Morizot Timothy S
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Robert Edmonds
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Nicholas Weaver
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Morizot Timothy S
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Mark Andrews
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Darcy Kevin (FCA)
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… D. J. Bernstein

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Attachment: signature.asc