[dnssec-deployment] dot MUSEUM implemented DNSSEC
Ed.Lewis at neustar.biz
Mon Sep 22 12:04:02 EDT 2008
At 7:20 -0700 9/22/08, Patrik Fältström wrote:
>So to some degree, things are more fragile with DNSSEC than without.
I don't buy that. Well, not really.
Given any working system and then add security to
it, yes, the result is something more fragile (I
used the word "brittle" over the years). This
can be proven examining a state machine - as you
invalidate states (which is what security does)
you create more choke points in the state machine.
We knew this when DNSSEC was designed. We tried
many techniques to prevent DNSSEC from making DNS
brittle, many of them died on the drawing board.
Still the resulting design of DNSSEC is not much
more brittle than the original system -
considering the fragile nature of DNS to begin
Where we could not overcome making DNS fragile -
system clock mis-setting. We had to introduce
absolute time to DNS to thwart replay attacks.
Hence a system with a clock that is incorrectly
set will fail DNSSEC checks (and TSIG too).
But when it comes to screwing up the DS set, this
is not anymore fragile than the NS set. A signer
has the option to use multiple DS records in a
set - maybe one for each different algorithm in
use. And a totally hosed DS set is less
disruptive than a totally hosed NS set because in
the former, the NS set (if un-hosed) is still
available for hand inspection by a technician.
Ok, I guess Patrick's "to a degree" is right" -
but not when it comes to the delegation data.
You can configure the security mechanism to be
more robust than a single failure. In fact,
DNSSEC's original design was to allow any entity
to sign the RRSIG - but that was crimped back
until a workable policy and policy language for
that could be generated.
There's multiple "paths" to just about everything
in DNSSEC. Single shots need not take down
DNSSEC where it would take two shots for DNS.
However, the work to make DNSSEC less fragile is
not always easy. It can be done tho'.
Edward Lewis +1-571-434-5468
Never confuse activity with progress. Activity pays more.
More information about the Dnssec-deployment