[dnssec-deployment] AP: "Use of Rogue DNS servers on rise"
Ed.Lewis at neustar.biz
Mon Feb 18 02:52:03 EST 2008
At 18:31 +1100 2/18/08, Mark Andrews wrote:
> DNSSEC is designed to protect to the application. Whether
> it is used that way remains to be seen.
No, no, it isn't. If that were true, we would have never designed
message integrity mechanisms. We would have never defined the AD and
When DNSSEC was designed and redesigned, it was supposed to mimic the
actions of the unprotected DNS. I.e., the use of caches. Just as
caches are a way to limit the times a "site" goes to a authoritative
server and limits the times when nodes of the site have to go beyond
the cache, DNSSEC validation was thought to be located at the caches.
Just like any application can do DNS iteration, an application can do
DNSSEC. But because we defined DNSSEC to be like DNS, we also then
added the "last hop" mechanisms.
TSIG and SIG(0) only say that the message between the stub (client)
and the first responder (cache) transferred untouched. CD means
"don't do DNSSEC for me" which was needed because we assumed
otherwise the first responder would only return what it thought was
good. (Think "clock skew" for one.) And AD means the first
responder checked and according to it's policy, the data entered the
If we thought that DNSSEC was protecting out to the application, we
would not have put validation in the caches. We would not assume
that caches were going to check. We would have dropped cache's doing
validation because for a while running NTP on a DNS server was a
Anytime we've tried to mission creep the intention of DNSSEC we got
slapped back. (Remember SIKED BOF? See what happened when signing
the root meant more than just getting the data transfers to be
secure?) DNSSEC (RFC 4033-4035) is only server to server.
We spent a long time dealing with the sematics of DNSSEC in user
interfaces like HTML renderers. It was apparent that DNS'ers are not
the best group to say what's right for applications. It would be a
design mistake to have proposed an extension to DNS that would
provide security to applications. The best we can do is to offer to
the applications data that got to the fringes of the DNS "safely."
Edward Lewis +1-571-434-5468
Mail archives, backups. Sometimes I think the true beneficiaries of
standards work are the suppliers of disk drives.
More information about the Dnssec-deployment