fine lines

Fri Apr 17 13:13:38 EDT 2009

I'm not sure I comprehend the "German policital" situation, I presume 
the problem has to do with altering the DNS response.

This is a topic DNSSEC is going to run head long into.  I'm not sure 
what opinion I have on it yet.

Without trying to assign any judgement to how responses are 
generated/modified, here are the various ways an response might come 
about:

1) Canonical "from the zone file" by an authoritative server via cache
2) Computed by the authoritative server via cache (includes wildcards)
3) Computed by the cache for the purposes of capturing traffic
4) Computed by the cache for the purposes of rewriting name errors
5) Computed by the cache for the purposes of, say, IPv6/IPv4 translation
6) Computed by the cache for the purposes of blocking access to locations
6a - could be political; 6b - could be parental
7) Computed by the cache for other network performance/operations reasons

DNSSEC is easily fitted to #1 and #2.  (It was defined with #1 in mind.)
DNSSEC can coexist with #3-#7 if the client of the cache doesn't try 
to validate from "some" root public key; maybe the cache can validate 
and use hop-by-hop IPSEC or TSIG with the AD bit to the client.

If the client is a "power user" and is validating all answers, they 
have to realize which of these situations they are in:

Case 1) Cache computes answers for technical reasons
Case 2) Cache computes answers for philosophical reasons
Case 3) Cache computes answers for security reasons
Case 4) Cache computes answers for financial reasons

(and maybe more)

Case 1 - e.g., an IPv6 island in an IPV4 lake.  The power user has to 
either capitulate or "just not function."

Case 2 - I'll take the benign first - you're 12 and your parents 
won't let you go to that chat room.  The less benign - the monarchy 
doesn't want you to see criticisms of the royals. The downright 
"wrong" - the despot doesn't want you to know about that death camp 
in the other city.

Case 3 - It's a pay-as-you-go network.  You have to be authenticated, 
billed and authorized before I'll let you out the WWW.  (For 
example.)  For the power user, pretty much the same situation as the 
first case.

Case 4 - e.g., the name doesn't exist, so I'll show you a search page.

I'd agree that there are open issues with Case 2 and 4.  It's clear 
to me in #2 there's no fail-safe for DNSSEC configuration, any choice 
made is moral and I bet many folks would have a split decision on 
what to do (e.g., comply with parents but disobey monarchy).  As far 
as 4, well, it's like this - you have a choice of having network 
access that makes money for someone or no network at all.

It's not clear to me the DNSSEC "should be" used as tool to obviate 
policies that regulate response modification.  That's because the 
cases where I might agree are surrounded by many cases where I'd 
disagree.

What has this to do with dnssec-deployment (the name of the list)?  I 
guess to express a general thought that DNSSEC should be there to 
detect altering answers but not get in the way of altered answers 
that are done so for legitimate purposes.  Yes, yes, that's an open 
question - what's a legitimate reason?

I certainly don't think there's a straight answer to "political" 
issues.  First because they are jurisdictional and second, there are 
two sides to them, each with probably some legitimate claims.  DNSSEC 
is a global technology, not the same thing.  DNSSEC won't solve 
political issues - or politics.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Getting everything you want is easy if you don't want much.