On Jan 17, 2011, at 5:29 AM, <[email protected]> wrote: > This option directs a host to ask question from some of the servers it could > have anyway send its question to. How DNSSEC cannot manage to secure DNS > queries in that case?
Your assertions about the state of the art in DNS resolver implementations is probably correct. However, essentially what you are proposing is to take this broken behavior as a standard, and then build new functionality on it. The problem is that the behavior is broken, and shouldn't be a basis for building new functionality. I don't disagree with your motivation for building the new functionality; the question is whether there's a way to do it that is not, like the status quo, broken. The way your proposal breaks DNSSEC is by allowing an attacker to convince your resolver to treat a pre-arranged server as the authority for certain named zones. Hm. Okay, so the reason this is an issue is that I'm assuming the resolver doesn't do its own validation. And you're right that if it doesn't do its own validation, it's not much worse off using this option than not using it; the degree to which its worse off is that this option allows the attacker to deterministically attack certain domains, whereas without the use of this option the attacker would, in a best-case scenario, be relying on chance to succeed in its attack. If the resolver *does* validate to a known trust anchor, then it will discover any provable lie a perverted name server tells, even if it does the entire query through the perverted name server, because the perverted name server can't spoof the trust anchor (we *hope*)! This actually makes me feel a lot better about the proposal. I'd like to see the proposal require that the resolver validate any query itself if it uses the option; otherwise we're going to see interoperability problems with this option once resolvers *do* start validating, because people will have set their internal zones up wrong. I think you also need to document the signing architectures that will work with this option: either don't sign the zone that contains referrals for the internal zone, or else sign two copies of the zone; one that's visible from outside and contains no referrals, and a second one that's visible from inside, and contains referrals. The validating resolver obviously must use the substitute server for the entire query, not just for the queries in that subdomain, or it will get the wrong information from its query for the referral to the internal zone. I realize this may not be agreeable to you, but if it is, I could attempt to write text for it. I am not an expert on DNSSEC, so someone who is probably ought to read the text and criticize it. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
