[Dnssec-deployment] DNSSEC aware recursive name servers

Paul Vixie vixie at isc.org
Sun Aug 7 01:48:47 EDT 2011 

> From: David Conrad <drc at virtualized.org>
> Date: Sat, 6 Aug 2011 16:39:13 -1000
> 
> > ... what do you think of the kaminsky/vixie proposal whereby a stub
> > advertises its closest TA for the QNAME as an OPT blob, thus
> > soliciting the recursive to include the full RRSIG/DNSKEY chain from
> > the QNAME back up to that TA in the response authority section?
> 
> Don't know enough about it to comment.  Where's the draft?  From what
> you describe above, I have some skepticism it will address the coffee
> shop/hotel problem (or how you'd protect the OPT blob), but that's
> probably be because I don't understand.

there isn't a draft.  i havn't got to the point yet where i myself think
it's a great idea, much less to the point where i think anybody else will.

conceptually, it's as stated.  the requestor includes a new OPT blob that
says "the closest TA i have for this QNAME is X.Y.Z, so can you please send
me a full set of {RRSIG|DS|DNSKEY} records that will lead me from that TA to
this QNAME?" and the responder then does so if it recognizes the option.
this doesn't address the "non-dnssec-aware recursive" problem but it does
make it possible to do endpoint level validation without having to ask for
all those intervening data on every single lookup or even on the first one.

it is not meant to solve the data protection problem, either.  no matter
what, if your ISP's recursive is non-dnssec-aware you'll have to use another
recursive, and if you're not able to reach another recursive in the clear,
you will have to reach it via some kind of TCP/443 or VPN or proxy.  i am
however concerned about the number of round trips it will take through such
a proxy (or even through an off-LAN recursive.)  even if you have a large
and persistent cache and you can share it among all local processes, the
cost of filling that cache will be a lot of round trips.  i don't think we
can sell security if it costs several seconds of blank screen every time
an operator visits a new web site.

> > is that what you're proposing as a strategy for creating a market for
> > dnssec-aware apps?
> 
> Not really.  What I'm suggesting is that more hacks to the protocol
> (particularly ones that try to perpetuate the computing model from the
> 80s) isn't going to address infrastructure that is purposefully
> broken.  What I suspect is necessary is creating an environment in
> which the folks who break the infrastructure start getting feedback
> that breaking the infrastructure is a bad idea.

i'd love this.

> For example, if there was a validating resolver that could be
> installed on Windows systems as a system service that would, when
> encountering an inability to resolve/validate, pop up a friendly
> message saying something like "Can't seem to do the right thing, might
> be because the network you're on is being stupid, so I'm falling back
> to a less secure mode. Be careful out there!" (and then, of course,
> falls back to dumb-DNS mode when the user clicks "OK" in order to
> allow the user to get their work done), we'd have a much greater
> chance of (a) getting some value out of DNSSEC without the magic DANE
> pixie dust and (b) getting the infrastructure fixed.
> 
> Once the infrastructure is less broken, people can start relying on it
> for more services.

the people who make money by breaking infrastructure fall into two camps.
first you've got the ones who never know what they did and the firmware
that's breaking stuff doesn't even have source code any more.  second you
have the folks who are monetizing their breakage and have a contingency
plan for any sort of "tough love" or "take back the streets" campaign we
might run against that monetization.  asking Microsoft to modify Windows
in the way you describe is worth trying but i think they'll say "there's
no make-money or save-money strategy here, it would just cause a lot of
trouble for a lot of people including us."

> > i don't think the general population is geeky enough to do what you'd
> > be asking them to do.  and if they don't, there will not be apps.
> 
> As far as I can tell, if you have to ask the general population to do
> anything to improve the infrastructure, you've lost.  If they want the
> infrastructure improved, they'll ask/demand it of you.

agreed 100%.  i was thinking about Mosaic since this is the 20th anniversary
of WWW, and Mosaic was considered sexy by its users, and any infrastructure
that got in its way was put on the short track toward upgrades.  we need
something like that if we want ubiquitous DNSSEC or dnssec-aware applications.

More information about the Dnssec-deployment mailing list