This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] What about the last mile, was: getting DNSSEC deployed
- Previous message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
- Next message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Roy Arends
roy at nominet.org.uk
Fri Feb 16 15:35:15 CET 2007
So I lied. It wasn't my last response on the subject. Lutz Donnerhacke wrote on 02/16/2007 01:13:40 PM: > * Roy Arends wrote: > > Lutz Donnerhacke wrote on 02/16/2007 11:40:14 AM: > >> You can't update the installed base quick enought to gain the benefits > >> of DNSSEC. If the recursing resolvers do not validate, the whole DNSSEC > >> effect is going to zero. You will find about 100000 validating > >> resolvers at end user sites and nobody will sign a zone for this group > >> of geeks. > > > > Ah, you're assuming that folk will en-masse sign their zones for the > > handfull of validating resolvers ? > > Yes. See the reactions to the last announcement of a Swedish ISP. So folks with domains under '.se' are signing their zone en-masse ? Haven't seen those reactions. > > Meanwhile, my OS/X and windows boxes are configured (by default) to update > > itself regularly. Some of my applications do that as well. My browsers > > have validation intergrated. Joe end user would not even see the > > difference.... but he's better off than before. > > He will see a difference, if some spoofing attacks does not longer work. Stub resolvers can be spoofed trivially. resolver code in dsl routers/cable modems can be spoofed trivially. So, unless the end-user has dnssec deployed locally, spoofing attacks work. > > I don't really expect any demand from end-users in general. > > I see a strong demand from commercial banking institutes (not really). > Let's assume some major DSL-ISPs does switch on validating. This results in > a trusted DNS for about 60% of there customers (may be more). Now consider > the phishing buzzword. security theater. Nothing really changes for the end user. Those who tried to spoof resolvers will now change their focus towards the end-users stub. Arms race. > > That leaves us with pushing code to the end user, in applications and OS, > > which implies coorperation from and education to software developers. > > Taking this road means: Redo from start. It _is_ done from the start. We've put in the current standards. Applications can already use. My jabber server uses it. Validation on a stub. > Never get a reasonable deployment. > Root will not be signed, because there are not enough installations. More > installations will not come up, because the root is not signed and key > maintainence is a mess. Catch-22. That is the _current_ status quo. not enough installations have 'switched on' dnssec, so why bother signing. why bother switching on dnssec if not enough domains are signed. > >> I can't see your point here. > > > > acl's, firewalls, etc, that decide on source ip address if it can query > > your resolver. I can circumvent that. > > How do you want to do this? I scan a range, a few boxes will do a reverse lookup. I control the specific reverse address space, hence your resolver is talking to me: window of opportunity. Another way is spraying spam around, antispam code resolve whatever I tell it to resolve. This reminds to finish my article about intrusion detection detection (sic) methods, and develop some anti intrusion detection dection (sic) methods. > Please respond by email directly, it's off-topic. Well. Others might be interested in this as well, so, there. > >> You are a geek. But you spoke about end users. And they trust their ISP > >> for the data they received from him. > > > > I'd advice joe end user to validate locally. > > They are free to do so. They are free to use any nameserver they want. > But if they use the ISP's recursive resolver, this will be a validating one. What is the use of seeing a bit set in the response that claims that the response is validated, when I can't trust the link !!!!!!! > > Just as I'd advice them validate certificates (which browsers do > > automagically). Are you saying that end users should blindly trust their > > http connection, just because it come via their ISP, or the ISP's proxy? > > No, you confuse the source of the data. eh ? > The ISP can validate the integrity of DNSSEC-signed zones, and it is good to do so. The ISP can validate the integrity, sure. To me that would be another middlebox fondling with the data. > The ISP can't validate the > integrety of HTTPS certificates, because the protocols does not show them to > him without serveral crude hacks. So, basically, if the https protocol would allow it, ISP's like to validate the integrity of certificates as well.... so end users don't have to ? Roy
- Previous message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
- Next message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]