Ed.Lewis at neustar.biz
Fri Apr 17 13:13:38 EDT 2009
I'm not sure I comprehend the "German policital" situation, I presume
the problem has to do with altering the DNS response.
This is a topic DNSSEC is going to run head long into. I'm not sure
what opinion I have on it yet.
Without trying to assign any judgement to how responses are
generated/modified, here are the various ways an response might come
1) Canonical "from the zone file" by an authoritative server via cache
2) Computed by the authoritative server via cache (includes wildcards)
3) Computed by the cache for the purposes of capturing traffic
4) Computed by the cache for the purposes of rewriting name errors
5) Computed by the cache for the purposes of, say, IPv6/IPv4 translation
6) Computed by the cache for the purposes of blocking access to locations
6a - could be political; 6b - could be parental
7) Computed by the cache for other network performance/operations reasons
DNSSEC is easily fitted to #1 and #2. (It was defined with #1 in mind.)
DNSSEC can coexist with #3-#7 if the client of the cache doesn't try
to validate from "some" root public key; maybe the cache can validate
and use hop-by-hop IPSEC or TSIG with the AD bit to the client.
If the client is a "power user" and is validating all answers, they
have to realize which of these situations they are in:
Case 1) Cache computes answers for technical reasons
Case 2) Cache computes answers for philosophical reasons
Case 3) Cache computes answers for security reasons
Case 4) Cache computes answers for financial reasons
(and maybe more)
Case 1 - e.g., an IPv6 island in an IPV4 lake. The power user has to
either capitulate or "just not function."
Case 2 - I'll take the benign first - you're 12 and your parents
won't let you go to that chat room. The less benign - the monarchy
doesn't want you to see criticisms of the royals. The downright
"wrong" - the despot doesn't want you to know about that death camp
in the other city.
Case 3 - It's a pay-as-you-go network. You have to be authenticated,
billed and authorized before I'll let you out the WWW. (For
example.) For the power user, pretty much the same situation as the
Case 4 - e.g., the name doesn't exist, so I'll show you a search page.
I'd agree that there are open issues with Case 2 and 4. It's clear
to me in #2 there's no fail-safe for DNSSEC configuration, any choice
made is moral and I bet many folks would have a split decision on
what to do (e.g., comply with parents but disobey monarchy). As far
as 4, well, it's like this - you have a choice of having network
access that makes money for someone or no network at all.
It's not clear to me the DNSSEC "should be" used as tool to obviate
policies that regulate response modification. That's because the
cases where I might agree are surrounded by many cases where I'd
What has this to do with dnssec-deployment (the name of the list)? I
guess to express a general thought that DNSSEC should be there to
detect altering answers but not get in the way of altered answers
that are done so for legitimate purposes. Yes, yes, that's an open
question - what's a legitimate reason?
I certainly don't think there's a straight answer to "political"
issues. First because they are jurisdictional and second, there are
two sides to them, each with probably some legitimate claims. DNSSEC
is a global technology, not the same thing. DNSSEC won't solve
political issues - or politics.
NeuStar You can leave a voice message at +1-571-434-5468
Getting everything you want is easy if you don't want much.
More information about the Dnssec-deployment