On 12/03/2014 11:20 AM, Richard Pieri wrote:
On 12/3/2014 10:52 AM, Derek Atkins wrote:
Actually, it was designed to protect against that.  I sat in the
IETF meetings where that was explicitly discussed.  If an intermediary
strips the DNSSEC records out then a resolver expecting DNSSEC will
force a validation error.

Which results in a denial of service for clients if DNSSEC is enforced.
That's not protecting users; that's dumping them into black holes.

I think that comment misses the point. DoS is typically an acceptable response to man-in-the-middle attacks; it is worse to make me think I have a secure connection to GMail than it is to just refuse connection entirely. Likewise, I would rather have DNS not work at all than have it hijacked (because the hijacker is almost certainly going to redirect me away from where I'm wanting to go anyway).

I started the discussion about DNSSEC because I was saying you could use that, along with some special TXT entry in your domain's zone to have a verifiable way to identify who an /appropriate/ CA for a given domain is (and thereby not have to throw away all of the X509 system).

There are two potential flaws, one that I identified, and one that R. Pieri brought up (which I think but I'm not sure that Derek refuted).

The first flaw is DNSSEC to end clients.  There are two solutions to this:
 1) run a caching name server locally and only use that (easy)
2) have application specific hooks to do the appropriate lookups (for instance, this firefox extension, while out of maintenance, seemed to do sort of what I wanted: https://addons.mozilla.org/en-US/firefox/addon/extended-dnssec-validator/ ; also worth noting is that this plugin seemed to require some auxillary software installed, but that may have been just because DNSSEC stuff wasn't built-in to libdns at the time)

The second issue was that DNSSEC has a built-in way to MITM it, where an intermediary could strip out the info that indicated that a given domain had DNSSEC records (the claim was this was forced for compatibility). I think Derek refuted that, and I have to believe that
what Richard claimed would defeat the whole purpose of DNSSEC.

Matt
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss

Reply via email to