Zitat von Patrik Fältström <[email protected]>:
On 21 Aug 2015, at 9:49, Andi via Unbound-users wrote:
I also find it very useful because DNSSEC should be integrated per
Device to be useful/secure IMHO.
I must say I disagree with the statement, because it sounds like if
usefulness of DNSSEC is black and white, yes or no. And that it is
useless today as no validation is happening locally.
In reality, you already today must trust various pieces of the
zeroconf tussle, and one of them is the recursive resolver of your
choice (or rather, the one your [trusted] DHCP server is giving to
you).
At least for mobile Devices the user has no real way to decide if the
DNS provided is really secure or not. Because of this it is preferable
to do DNSSEC per Device and ignore the resolver provided by DHCP if
possible.
There are a multitude of attack vectors in the local network, but
because of that, creating mechanisms for those to do a better job
will make things better. And I am specifically thinking of the
ability for a recursive resolver to do validation.
So, I definitely think DNSSEC is useful even if validation is not
happening in the local device.
There are networks where it indeed is no problem to do central DNSSEC
validation, but mostly if the network is seperated from the internet
and is some form of managed network like in company environments. We
do it that way since .de is signed.
In Sweden, more than 95% of resolvers do validate DNSSEC signed
responses (I think it was, according to Geoff measurements), and
that is A Good Thing. More ISPs and cellphone providers etc should
immediately turn on validation!
It doesn't harm, but for devices using random untrusted networks it is
best to do DNSSEC on the device, so you will always be sure that the
DNS replies are as save as possible.
Unfortunately statements like the one above I hear as arguments for
not doing so.
Possibility for doing better shold never be a excuse for doing
nothing. My only point was that Unbound or something similar should be
on stock Android soon, so the ones who care about secure DNS can
simply activate it.
That said, I completely agree that the goal must be to have
validation to happen locally, although that will in some cases
(various mixed IPv6/IPv4 environments for example) will not work.
But in those you are doomed anyway if you do not trust the local
environment.
The only cases where i have seen DNSSEC completely fail is if UDP
*and* TCP Port 53 is not possible unfiltered. There are some stupid
SOHO routers which always direct all Port 53 traffic to itself, but
fail to handle DNSSEC in a useful way.
Regards
Andreas
