[dnssec-deployment] AP: "Use of Rogue DNS servers on rise"

Steve Crocker steve at shinkuro.com
Mon Feb 18 23:06:43 EST 2008 

kc,

This is an interesting line of reasoning, and it caused me to think  
through the likely scenario.  I think what will happen is probably a  
bit different from this all or nothing confrontational scenario  
you're suggesting.  Instead, I think zones will gradually get  
signed.  One the root and some key top level domains are signed, I  
would expect the pace will pick up.  As soon as there are an  
interesting number of signed zones, DNSSEC-capable validators will  
start become more prevalent, and checking of signatures will increase.

It's at this point that the tension you and Ed refer to will start.   
Intermediate name servers may throw away the signature records and  
may rewrite the responses.  This will pose a problem for anyone  
trying to check signatures.

I think what will happen next is that end user systems will start to  
be sensitized to which name server they're using.  If the local  
hotel, ISP, etc. attempts to intercept their DNS lookups, I expect  
there will be some push back.  Thus, I think two levels of DNS  
service will emerge, a service provided by and modified at will by  
the local service provider, and a clean service from your trusted DNS  
service provider.

That's my crystal ball for today.

Cheers from India.

Steve





On Feb 19, 2008, at 4:51 AM, k claffy wrote:

> On Sun, Feb 17, 2008 at 02:22:59PM +0000, paul v wrote:
>> //
>>   The only fly in the ointment, is that supposition the the paper  
>> that in
>>   many cases this is being done for purposeful business  
>> reasons ... not
>>   malicious ones. There, the thing that would be detected is  
>> something that
>>   was thought to be a value add by those rewriting DNS responses.
>> //
>>
>> puts us right in the net neutrality crosshairs, huh.  (i hope network
>> neutrality isn't our NP-complete problem, such that if we reduce a  
>> problem
>> to the net neutrality problem, we've proven it's unsolvable in the  
>> current
>> architecture..)
>
>   tempting though it would be, no.  if dnssec ever happens, then  
> it'll bomb
>   the nxdomain rewriting industry back into the stone age.  nothing  
> congress
>   can do, or not do, will make any of that happen faster or slower.
>
> i'm talking about a different flow of logic.
>
> if the destruction of legal and profitable businesses is a
> necessary condition to having the same companies support dnssec,
> we may be deadlocked.  lawyers will win this arms race,
> and typo monetization can buy the best lawyers for sale.
>
> just like if the destruction of legal and profitable traffic
> engineering practices is a necessary condition to having
> network neutrality, we're deadlocked in the current architecture.
> either the technology or policy architecture has to change.
> eventually we should consider which can be changed+deployed faster.
>
>   (and as long as net neutrality continues to completely miss the  
> point, such
>   that anyone other than a lobbyist will say "but that's not the  
> real issue!",
>   then we won't have gov't regulated settlement rates, nor  
> universal access.)
>
> i hope noone ever says such a thing about dnssec and security
>
> k
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/ 
> Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>

More information about the Dnssec-deployment mailing list