Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

[Joe Abley <jabley@ca.afilias.info>]

On 24 Jul 2008, at 07:49, Brian Dickson wrote:

> His resolver does its thing, but before it gets very far, the DNS  
> queries it makes get intercepted, and bad
> answers from the hacked box get sent back, instead sending him to https://phishing-site.tld 
> .
>
> DNSSEC makes this impossible.

Surely, DNSSEC making that impossible relies on the validator on Joe's  
laptop insisting that the TLD and MYBANK.TLD zones are signed, and  
that a trust anchor exists to verify the signatures.

If the validator on Joe's laptop has an empty cache, and no  
configuration which will make it insist particularly that those zones  
are signed, surely the middleware which is replying to queries could  
just return as if the root, TLD and MYBANK.TLD zones are unsigned. At  
that point there will be no signatures to verify, and it will be as if  
DNSSEC was never deployed.

[If the validator has cached security information from the results of  
previous queries, then it might be able to know that a lack of  
signatures received whilst in the hotel is a problem. But things  
expire from caches, laptops run out of power and get restarted,  
operating system patches require reboots, etc, so it doesn't seem  
reasonable to assume this will always be the case. "impossible" above  
is fairly absolute.]

I keep seeing people insist that query-intercepting middleware will be  
defeated with DNSSEC, but I can't see why. Perhaps I'm missing  
something.


Joe


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>