> From: Derek Atkins [mailto:[email protected]]
> 
> 1) the root zone is signed with a known key, and
> 2) most of the TLDs are signed (in particular .com is definitely signed)

When you first connected to the network, DHCP told you to use some DNS server.  
When firefox, or anything else in your OS queries that DNS server to resolve 
some name, you do not receive the response from the TLD.  You just get a 
response to your query, and not all the subsequent queries that were necessary 
in order to resolve your query.  Better yet, your OS itself caches the 
response, so once again, FF makes some query, and doesn't get a signed response.

This may be a shortcoming of implementation, but if so, that doesn't make it 
any less relevant, because neither your OS name caching daemon, nor the 
upstream caching server are doing "the right thing" and the world is a *long* 
way off from having all the dumb Linksys routers upgraded to the point of DNS 
security being effectively universally deployed.

These are yet another two possible solutions to the problem - 

Don't use caching DNS servers; every client must query the TLD directly and do 
all its own resolving.  Or, globally adopt a new standard where the caching DNS 
server gives your client not only the response you requested, but the entire 
signed chain...  But these solutions very definitely do not exist as globally 
universally standard deployed solutions today.

Today, FF queries for www.google.com, and the query is handled by whatever DNS 
server was doled out to the client via DHCP, and the DNS server response is 
only going to be the final result of the query, which could have been mangled 
in transit.
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss

Reply via email to