People who think they don't care about DNSSEC now, should still be
concerned about any changes to root and TLD servers and should be
concerned about the consequences of those changes in the future. There
really are no changes that have zero impact.
> That is, if you don't care about DNSSEC, do you think it would be
> bad(tm) if the root were to be signed (for the sake of argument,
> ignore the time waste, administrative overhead, etc. associated with
> DNSSEC-signing)? If so, why?
I think this would be bad(tm). There are number of serious unresolved
DNSSEC issues--the resolution of which are anticipated to change the
protocol. For example, besides the previously mentioned key rollover
issue, I understand that DNSSEC also doesn't allow the protocol to be
changed securely. And we do expect the protocol to be changed.
DNSSEC deployment on the root and TLDs will merely encourage people to
invest in deploying DNSSEC servers and resolvers. Such deployment merely
makes changes to the protocol more difficult, since changes cause those
initial users to be exposed, after they have relied on secure DNS. We
should not encourage people to rely on DNS for security.
The hype surrounding the Kaminsky report is unjustified. For example,
one can't steal bank information with this attack, as the mainstream
press has reported. SSL/TLS validates the certificates
cryptographically and doesn't depend on DNS, except of course that wrong
DNS information could lead to a Denial of Service attack. DNS
information in a certificate is merely used to verify the correct
certificate was returned before trying cryptographic verification. Cache
poisoning results in failure to get the correct certificate unless there
is a corresponding failure in the CA. Certificate verification is the
better approach to establish secure connections.
There has been some assertions that SMTP anti-spam security depends on
DNS security. These schemes don't hold water. In 2003, I showed that the
information theory result that no communication system can be proven
free of covert channels implies that no communication system can be
designed 'spam-free'. So, changes to DNS or SMTP to defeat spam are
doomed to failure. Experience with failures of anti-spam schemes over
the last 10+ years is consistent with this analysis. Ideas like
micro-payments and such are also doomed to failure for the same reasons.
Defeating spam is a question of getting better at 'whack-a-mole',
improving communication between ISPs to track abuse, eliminating false
teaming of spammers in anti-spam operations, and having adequate legal
responses particularly against botnets.
Of course, the people hoping to sell authentication systems,
micropayment systems, etc plainly won't agree, but then people selling
perpetual motion machines similarly don't agree with the conclusions of
thermodynamics. However, physicists and government demand to see that
the laws of thermodynamics aren't violated before funding research on
new energy systems. Similarly, I think that before we make expensive
changes to accommodate anti-spam schemes, that we should first ensure
that the laws of information theory aren't violated by the scheme.
I also seem to recall some claims that DNSSEC can create more
opportunity for cryptographic DOS attacks on DNS servers. Can anyone
speak to that?
In conclusion, deploying DNSSEC before its ready will encourage people
to wrongly place MORE trust in DNS information, even though those people
will be exposed to greater expense and risk later. This is a
dis-service to the public, especially when key rollover and expected
protocol changes will expose them to untrustworthy operation in the
future. Knee-jerk reactions are almost always a bad-idea, especially
when the reaction has the potential to be worse than problem.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
