DNSSEC is almost worthless!
Thierry Moreau <thierry.moreau@connotech.com> Sun, 05 March 2006 16:58 UTC
From: Thierry Moreau <thierry.moreau@connotech.com>
Subject: DNSSEC is almost worthless!
Date: Sun, 05 Mar 2006 11:58:17 -0500
Lines: 120
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-From: owner-namedroppers@ops.ietf.org Sun Mar 05 17:30:17 2006
Return-path: <owner-namedroppers@ops.ietf.org>
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=0.1 required=5.0 tests=AWL,BAYES_00,RCVD_IN_SBL, UNPARSEABLE_RELAY autolearn=no version=3.1.0
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
To: namedroppers@ops.ietf.org
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
X-Message-ID:
Message-ID: <20140418072135.2560.10002.ARCHIVE@ietfa.amsl.com>
Dear all: Some non-participants to the dnsext wg may assess the DNSSEC as a useless effort to solve a marginal security issue in Internet. For these persons, there is no reason to participate in dnsext activities related to DNSSEC. This message reviews the elements of DNSSEC added value, and then discusses a condition which may vary the DNSSEC added value according to the participant perspective. This is relevant to the discussion of trust anchor key requirements document: if DNSSEC has only some marginal value, it is justified to put little effort in coming up with a "rigorous" set of requirements. First, what does DNSSEC actually do? It provides DNS resolvers with end-to-end cryptographic assurance about data retrieved from the DNS. More precisely, it provides 1) a user feedback like a red-yellow-green light besides a domain name (resp. for bogus-insecure-secure DNSSEC name resolution status), or a turned-off traffic light (for an indeterminate DNSSEC status), 2) the same indication as in 1) above, but for a managed nameserver instead of an end-user system (e.g. bogus name resolution being logged in a corporate nameserver system), 3) key management support for other security schemes, i.e. secure applications that would retrieve data (typically public keys of remote parties in cryptographic protocols) from the secured DNS and accept the data only if its DNSSEC status is "secure". Item 1) requires a end-user education, which proved mostly ineffective for many IT security schemes. Item 1) is thus only valuable to financial institutions for maintaining the onus of on-line banking security to the account holders (so the bank can claim that it offered a "commercial-grade security procedure" allowing the account holder to protect himself from phishing/pharming attacks). Item 2) can assist a corporate IT department to protect its internal users from bogus data from the Internet DNS, provided sufficient attention is paid to the operation of the nameservice. Items 1) and 2) both require adoption of DNSSEC technology at various stages of the end-to-end process, and a noticeable penetration rate of DNSSEC. In the meantime, DNSSEC deployment without genuine value added is deemed to be insufficiently supported for proper implementation and troubleshooting. Some comments were made that DNSSEC is just too complex for effective deployment (e.g. message from Bert Hubert to namedroppers in Feb 2006). In addition, the end-to-end cryptographic assurance is perhaps justified mostly because there are too many nameservers operating with BIND version prior to 8.4 (these are vulnerable to the DNS cache poisoning attack). Items 1) and 2) obviously need trust anchor key configuration, but are not critically dependent on "rigorous" trust anchor rollover procedures. Item 3) is not strictly part of the DNSSEC service definition, but DNSSEC deployment would be instrumental in providing this novel means of authenticated public key distribution. This item 3) is perhaps the most tangible value from DNSSEC, but it is a niche application as the cryptographic application protocol usage is marginal in the first place. I may provide references supporting the existence of this item 3). DNSSEC-supported encryption (a by-product of item 3) is certainly not a welcome development for governmental organizations concerned with "national security interests". So, from the perspective of governments, DNSSEC application to public key distribution would not contribute to DNSSEC value. Many dnsext active participants work for organizations funded by, or receiving significant contracts from, the US or OECD governments, including two editors of draft-ietf-dnsext-rollover-requirements-00.txt. The item 3) needs trust anchor key configuration, just like items 1) and 2), but this time "rigorous" trust anchor rollover procedures would make a difference in the effectiveness of the "service" (from a security perspective). My understanding of the ietf dnsext current activities is much influenced by the marginal value of DNSSEC from items 1) and 2), and the negative value of item 3) from the perspective of governments. I don't know to which extent there are dnsext active participants who see positive value in item 3) to the point of contributing to the TAK rollover debate. TAKREM for DNSSEC (draft-moreau-dnsext-sdda-rr-01.txt, draft-moreau-dnsext-takrem-dns-01.txt) is *both* rigorous *and* efficient. Efficiency would be beneficial to DNSSEC deployment if there was value in DNSSEC to justify its deployment in the first place. About TAKREM rigor, the above suggests that the intrinsic security properties of TAKREM might appear as *lowering* the value of DNSSEC for governments. Regards, -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1 Tel.: (514)385-5691 Fax: (514)385-5900 web site: http://www.connotech.com e-mail: thierry.moreau@connotech.com -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- DNSSEC is almost worthless! Thierry Moreau
- Re: DNSSEC is almost worthless! Paul Vixie