On 25 Jul 2008, at 15:31, bert hubert wrote:
On Fri, Jul 25, 2008 at 01:03:05PM -0400, Joe Abley wrote:I think that's wrong. I think that once someone is in the position of being able to meddle with the query/response stream, all bets are off and DNSSEC is no cure.Wow - sure? I may be no friend of DNSSEC but I always assumed DNSSEC wouldbe 'perfect' in this way.If this is true, it only strenghtens the case that the hassle of DNSSECexceeds its merits by at least an order of magnitude.
I am feeling very ignorant right now, so let nobody take what follows as the voice of authority.
Imagine a world in the future in which the root zone is signed, and some TLD zones are signed, and some other zones are signed.
It seems to me that a bare validator, freshly started, with no cache and no special configuration, knows nothing about what zones in the world are secured and which are not.
If such a validator asks a question of a root server, or a TLD server, or some other server, and gets back an insecure referral, it seems to me the validator has no real way of knowing whether the insecure answers are from middleboxes, or direct from real infrastructure that happens not to have deployed DNSSEC.
Hand-configuring your validator to tell it "ORG is signed, root is signed, don't believe anybody who tells you otherwise" would presumably fix that. But replicating such dynamic information by way of static configuration in millions of independently-managed resolvers doesn't seem very scaleable.
Perhaps it's sufficient just to tell your validator "the root is signed, don't believe answers which suggest otherwise". But that requires a signed root, and in the mean time DNSSEC isn't providing any protection from middleboxes.
Joe -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>