IETF Logo Mail Archive

Practical issues deploying DNSSEC into the home.

Jim Gettys <jg@freedesktop.org> Tue, 10 September 2013 15:56 UTC

Return-Path: <gettysjim@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB05B21F99ED for <ietf@ietfa.amsl.com>; Tue, 10 Sep 2013 08:56:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.482
X-Spam-Level:
X-Spam-Status: No, score=0.482 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V0ormjAAjMIC for <ietf@ietfa.amsl.com>; Tue, 10 Sep 2013 08:56:36 -0700 (PDT)
Received: from mail-qe0-x235.google.com (mail-qe0-x235.google.com [IPv6:2607:f8b0:400d:c02::235]) by ietfa.amsl.com (Postfix) with ESMTP id 0566621F9A1E for <ietf@ietf.org>; Tue, 10 Sep 2013 08:55:39 -0700 (PDT)
Received: by mail-qe0-f53.google.com with SMTP id jy17so2711816qeb.26 for <ietf@ietf.org>; Tue, 10 Sep 2013 08:55:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=sv4hAEbJQ19pLRrUSs2zM4qFLha4rdLxaor8Xfbsq9s=; b=FpHpg/wjZPHLD+eTq4oWn6iKVMMX4ajl+InwxPwLnVcKV5HSHzBUfRZz9pUTeZNrq2 M6qIdUjzpzXtOnbOtgXPPIPtppMie5FnNFOAfie/zDyw9pap40duFZNNbyVIfEO5Gi5y YTp/YHUbA5gr7Rr3lc8/XKeEEGMQzQVR4tmdodUnQtnW/iwIsVzKEtnhRAQbC/HBvoTR SUfx7CyOAc76gN5LwvmtTEpMIJSN5Do8uVqUArsREySfcd+OrRWAA6FL2KU6t1CFJeO6 NTFP6yMVKd10iv+vkPKRW2/aZlXmX5lXt8Y8/NylPqyrqff64jiGOZHXPyQJ1fQoQ/5N Z/kA==
MIME-Version: 1.0
X-Received: by 10.49.130.233 with SMTP id oh9mr34472948qeb.10.1378828536133; Tue, 10 Sep 2013 08:55:36 -0700 (PDT)
Sender: gettysjim@gmail.com
Received: by 10.49.27.98 with HTTP; Tue, 10 Sep 2013 08:55:36 -0700 (PDT)
Date: Tue, 10 Sep 2013 11:55:36 -0400
X-Google-Sender-Auth: YpUMte-8o06P7y26HD0dwR_L3Uk
Message-ID: <CAGhGL2APj-XfuMUHgLsELnZRbRNCLrjMBxFBtcg4zx+5SG7Bag@mail.gmail.com>
Subject: Practical issues deploying DNSSEC into the home.
From: Jim Gettys <jg@freedesktop.org>
To: ietf@ietf.org, dns-security@lists.tislabs.com
Content-Type: multipart/alternative; boundary="047d7bb03fa61a5e2a04e60989dd"
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 15:56:46 -0000

Ted T'so referred to a conversation we had last week. Let me give the
background.

Dave Taht has been doing an advanced version of OpenWrt for our bufferbloat
work (called CeroWrt http://www.bufferbloat.net/projects/cerowrt/wiki/Wiki).
 Of course, we both want things other than just bufferbloat, as you can see
by looking at that page (and you want to run in place of what you run
today, given how broken and dated home router firmware from manufacturers
generally is).  Everything possible gets pushed upstream into OpenWrt as
quickly as possible; but CeroWrt goes beyond where OpenWrt is in quite a
few ways.

I was frustrated by Homenet's early belief's (on no data) that lots of
things weren't feasible due to code/data footprint; both Dave and I knew
better from previous work on embedded hardware.  As example, Dave put a
current version of bind 9 into the build (thereby proving that having a
full function name service in your home router was completely feasible;
that has aided discussions in the working group) since.

We uncovered two practical problems, both of which need to be solved to
enable full DNSSEC deployment into the home:

1) DNSSEC needs to have the time within one hour.  But these devices do not
have TOY clocks (and arguably, never will, nor even probably should ever
have them).

So how do you get the time after you power on the device?  The usual answer
is "use ntp".  Except you can't do a DNS resolve when your time is
incorrect.  You have a chicken and egg problem to resolve/hack around :-(.

Securely bootstrapping time in the Internet is something I believe needs
doing....  and being able to do so over wireless links, not just relying on
wired links.

2) when you install a new home router, you may want to generate
certificates for that home domain (particularly so it can be your primary
name server, which you'd really like to be under your control anyway,
rather than delegating to someone else who could either intentionally on
unintentionally subvert your domain).

Right now, on that class hardware, there is a dearth of entropy available,
causing such certificate generation to be painful/impossible without human
intervention, which we know home users don't do.  These SOC's do not have
hardware RNG's, and we can't trust them either blindly. Ted's working on
that situation in Linux; it is probably a case of "the enemy of the good is
the perfect", but certainly I'm now much more paranoid than I once was.

See: https://plus.google.com/117091380454742934025/posts/XeApV5DKwAj

Jim

v2.23.0 | Report a Bug | By Email