Re: [DNSOP] Should be signed

Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Mon, 08 March 2010 15:49 UTC

Return-Path: <nweaver@ICSI.Berkeley.EDU>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0215A3A6952 for <>; Mon, 8 Mar 2010 07:49:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.768
X-Spam-Status: No, score=-5.768 tagged_above=-999 required=5 tests=[AWL=0.231, BAYES_00=-2.599, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8N8cQgySgvI4 for <>; Mon, 8 Mar 2010 07:49:15 -0800 (PST)
Received: from fruitcake.ICSI.Berkeley.EDU (fruitcake.ICSI.Berkeley.EDU []) by (Postfix) with ESMTP id 12E953A6A18 for <>; Mon, 8 Mar 2010 07:48:51 -0800 (PST)
Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU []) by fruitcake.ICSI.Berkeley.EDU ( with ESMTP id o28Fmq0a007828; Mon, 8 Mar 2010 07:48:52 -0800 (PST)
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <> <>
In-Reply-To: <>
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
Message-Id: <>
Content-Transfer-Encoding: quoted-printable
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Date: Mon, 08 Mar 2010 07:48:52 -0800
To: Paul Wouters <>
X-Mailer: Apple Mail (2.1077)
Cc:, Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>, Joe Abley <>
Subject: Re: [DNSOP] Should be signed
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Mar 2010 15:49:17 -0000

On Mar 8, 2010, at 7:27 AM, Paul Wouters wrote:

> On Mon, 8 Mar 2010, Joe Abley wrote:
>> Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think be paraphrased as follows:
>> - if we sign ROOT-SERVERS.NET it will trigger large responses (the RRSIGs over the A and AAAA RRSets) which is a potential disadvantage
> Is it? Is DNSSEC that bad then? Why did we design it that way?
>> - however, since the root zone is signed, validators can already tell when they are talking to a root server that serves bogus information
> How does that work without ROOT-SERVERS.NET being signed with a known trust anchor?
> How does my validating laptop know that the curent wifi is not spoofing a.ROOT-SERVERS.NET to some local IP?

If your ISP is acting as a MitM on DNS, its acting as a MitM on everything, so DNSSEC buys you f-all if you are using it for A records, because any app using that A record either doesn't trust the net or is trivially p0owned by the ISP.

DNSSEC is ONLY useful for things like TXT and CERT records fetched by a DNSSEC aware cryptographic application, and that would require a valid signature chain from the root(s) of trust (either preconfigured or on a path from the signed root) validated on the client, so an imitation won't matter, as it won't be able to provide improper data.

So in your example, doesn't need to be signed, and buys no increase in trust WHETHER IT IS SIGNED OR NOT, because even if it IS signed, that coveys no value about the results returned from it, because the signatures are not along the trust heirarchy for DNSSEC, which follows the name path, not the lookup path.

Remember, DNSSEC is a PKI, with only one path of trust which matches the name path (so, for *, the trust path is,, .com, ., either to a signed root, a signed TLD, or a trust anchor configured for either or [1].  You MUST be able to validate along the path (the transitive trust of a PKI), but you ONLY need to validate along the path (the limited trust of a PKI).

Thus although is a domain involved in the resolution of anything for * (its on the resolution path), it is not on the trust path, so whether it is signed or not has no impact on whether the chain up will validate cryptographically.

QED:  Signing should be done for completeness, but only AFTER .net is signed, because really, its a signature path that doesn't actually matter and SHOULDN'T actually be validated for normal lookups [2], but only when the values are directly requested by a cilent!

[1] And this is why I want DNSSEC: it IS a PKI and should be used as such, but one with a much cleaner trust path than the SSL-model PKI, and without adding any NEW trust paths to the system as this is the same trust path needed for normal DNS.

[2] I really don't like DNSSEC's reliance on the recursive resolver to do signature validations, because there really is no right answer for what the recursive resolver should do on cryptographic failures (contrast with the client where there are good answers).  

But if the recursive resolver IS validating DNSSEC, it MUST ONLY validate the path of trust for the names requested by the client, simply to minimize spurious and irrelevant cryptographic failures.  If the recursive resolver is validating the signatures of for internal use, it is doing it wrong: something which reduces reliability but doesn't increase security.