[dnssec-deployment] AP: "Use of Rogue DNS servers on rise"

Edward Lewis Ed.Lewis at neustar.biz
Mon Feb 18 02:52:03 EST 2008 

At 18:31 +1100 2/18/08, Mark Andrews wrote:

>	DNSSEC is designed to protect to the application.  Whether
>	it is used that way remains to be seen.

No, no, it isn't.  If that were true, we would have never designed 
message integrity mechanisms.  We would have never defined the AD and 
CD bits.

When DNSSEC was designed and redesigned, it was supposed to mimic the 
actions of the unprotected DNS.  I.e., the use of caches.  Just as 
caches are a way to limit the times a "site" goes to a authoritative 
server and limits the times when nodes of the site have to go beyond 
the cache, DNSSEC validation was thought to be located at the caches. 
Just like any application can do DNS iteration, an application can do 
DNSSEC.  But because we defined DNSSEC to be like DNS, we also then 
added the "last hop" mechanisms.

TSIG and SIG(0) only say that the message between the stub (client) 
and the first responder (cache) transferred untouched.  CD means 
"don't do DNSSEC for me" which was needed because we assumed 
otherwise the first responder would only return what it thought was 
good.  (Think "clock skew" for one.)  And AD means the first 
responder checked and according to it's policy, the data entered the 
server good.

If we thought that DNSSEC was protecting out to the application, we 
would not have put validation in the caches.  We would not assume 
that caches were going to check.  We would have dropped cache's doing 
validation because for a while running NTP on a DNS server was a 
novelty.

Anytime we've tried to mission creep the intention of DNSSEC we got 
slapped back.  (Remember SIKED BOF?  See what happened when signing 
the root meant more than just getting the data transfers to be 
secure?)  DNSSEC (RFC 4033-4035) is only server to server.

We spent a long time dealing with the sematics of DNSSEC in user 
interfaces like HTML renderers. It was apparent that DNS'ers are not 
the best group to say what's right for applications.  It would be a 
design mistake to have proposed an extension to DNS that would 
provide security to applications.  The best we can do is to offer to 
the applications data that got to the fringes of the DNS "safely."

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Mail archives, backups.  Sometimes I think the true beneficiaries of
standards work are the suppliers of disk drives.

More information about the Dnssec-deployment mailing list