[dnssec-deployment] dot MUSEUM implemented DNSSEC

Edward Lewis Ed.Lewis at neustar.biz
Mon Sep 22 12:04:02 EDT 2008

At 7:20 -0700 9/22/08, Patrik Fältström wrote:

>So to some degree, things are more fragile with DNSSEC than without.

I don't buy that.  Well, not really.

Given any working system and then add security to 
it, yes, the result is something more fragile (I 
used the word "brittle" over the years).  This 
can be proven examining a state machine - as you 
invalidate states (which is what security does) 
you create more choke points in the state machine.

We knew this when DNSSEC was designed.  We tried 
many techniques to prevent DNSSEC from making DNS 
brittle, many of them died on the drawing board. 
Still the resulting design of DNSSEC is not much 
more brittle than the original system - 
considering the fragile nature of DNS to begin 

Where we could not overcome making DNS fragile - 
system clock mis-setting.  We had to introduce 
absolute time to DNS to thwart replay attacks. 
Hence a system with a clock that is incorrectly 
set will fail DNSSEC checks (and TSIG too).

But when it comes to screwing up the DS set, this 
is not anymore fragile than the NS set.  A signer 
has the option to use multiple DS records in a 
set - maybe one for each different algorithm in 
use.  And a totally hosed DS set is less 
disruptive than a totally hosed NS set because in 
the former, the NS set (if un-hosed) is still 
available for hand inspection by a technician.

Ok, I guess Patrick's "to a degree" is right" - 
but not when it comes to the delegation data. 
You can configure the security mechanism to be 
more robust than a single failure.  In fact, 
DNSSEC's original design was to allow any entity 
to sign the RRSIG - but that was crimped back 
until a workable policy and policy language for 
that could be generated.

There's multiple "paths" to just about everything 
in DNSSEC.  Single shots need not take down 
DNSSEC where it would take two shots for DNS. 
However, the work to make DNSSEC less fragile is 
not always easy.  It can be done tho'.

Edward Lewis                                                +1-571-434-5468

Never confuse activity with progress.  Activity pays more.

More information about the Dnssec-deployment mailing list