IETF Logo Mail Archive

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Paul Wouters <paul@xelerance.com> Thu, 25 February 2010 16:39 UTC

Return-Path: <paul@xelerance.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6969928C17C for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 08:39:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.564
X-Spam-Level:
X-Spam-Status: No, score=-2.564 tagged_above=-999 required=5 tests=[AWL=0.035, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ehjP4zIW8sEH for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 08:39:44 -0800 (PST)
Received: from newtla.xelerance.com (newtla.xelerance.com [193.110.157.143]) by core3.amsl.com (Postfix) with ESMTP id 3D2E228C12E for <ietf@ietf.org>; Thu, 25 Feb 2010 08:39:44 -0800 (PST)
Received: from tla.xelerance.com (tla.xelerance.com [193.110.157.130]) by newtla.xelerance.com (Postfix) with ESMTP id 2C3D7BC07; Thu, 25 Feb 2010 11:41:55 -0500 (EST)
Date: Thu, 25 Feb 2010 11:41:55 -0500
From: Paul Wouters <paul@xelerance.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Subject: Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
In-Reply-To: <a123a5d61002241239i16abd52cn5e8dda15a1dd55b0@mail.gmail.com>
Message-ID: <alpine.LFD.1.10.1002251136250.1697@newtla.xelerance.com>
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <ABE739C5ADAC9A41ACCC72DF366B719D02C29D87@GLKMS2100.GREENLNK.NET> <sdzl2yvgru.fsf@wjh.hardakers.net> <874c02a21002240835u7cf4bf60y510cbbc870727852@mail.gmail.com> <20100224165011.GF5166@thunk.org> <a123a5d61002240944l3944a8acy804a1d819bf2cc3d@mail.gmail.com> <20100224142926.21d929c0@yellowstone.machshav.com> <a123a5d61002241239i16abd52cn5e8dda15a1dd55b0@mail.gmail.com>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2010 16:39:45 -0000

On Wed, 24 Feb 2010, Phillip Hallam-Baker wrote:

> I would like to see us create an assumption that a given machine will
> only use recursive resolution services from a specific trusted source.

Trust no one. More and more devices will do their own DNSSE validation,
and just use caches to get the data. That's the beauty of DNSSEC and
one of the two main bottlenecks of DNSCurve (the other is requiring cpu
for crypto on every packet)

> This in turn requires us to add some features to the protocol as we
> need to add mechanisms for access control.

There is already access control possible, eg TSIG/SIG(0). Just no one
seems to use it on the stub resolvers.

> We also need to make some
> changes to get around widespread DNS hacks used to support roaming
> WiFi provision.

Most of those have moved away from DNS already and just hijack the IP
port 80 stream instead.

> [Oh we are so not close to being done with deployment here. If turning
> on DNSSEC means the typical Web surfer cannot get their WiFi access at
> Panera without reconfiguring their machine then DNSSEC is stone cold
> dead.]

The fix for this will come from the browsers, who have to deal with this
situation anyway to avoid your 20 open tabs from reloading into a portal
page.

> Rather than using the approach in DNScurve, I would want to see
> something like the following:
>
> * When a new machine is brought up the configurer is asked which
> network they want it to be a part of, identified by a DNS name. This
> will be the place that the system will use to look for the trusted DNS
> resolution service. Since I use 8.8.8.8 I would enter 'google.com'.
> The default could be taken from DHCP
> * New RR to allow a machine to locate a trusted resolution service for
> the network and authentication protocols supported. The initial
> bootstrap could be taken from the DHCP service.
> * Key agreement mechanism that allows the client to establish a
> persistent binding represented by a kerberos style ticket
> * Packet encapsulation mechanism that enables a kerberos style ticket
> to be entered into client request packets.

Seems much easier to me to store 1 DNSSEC root key and do it yourself.

Paul

v2.23.0 | Report a Bug | By Email