[Dnssec-deployment] DNSSEC aware recursive name servers
daniel at digsys.bg
Mon Aug 8 10:40:45 EDT 2011
Very interesting topic, glad it has risen again.
For the past 20+ years, I have always wondered why the DNS is designed
in such a "mainframe-centric" way. It has never required any significant
traffic or processing to warrant non-commodity hardware. About the only
reason I could imagine is control. And that control, as we can see
everywhere is already abused almost everywhere.
(yes, unfortunately my political predictions almost always happen and
no, I am not interested)
For me, DNSSEC makes any sense only if implemented at the end Internet
device -- the device talking TCP/IP with the world. The value of DNSSEC
is the ability to verify you get what you asked for. This means you
cannot trust any external resolver. No matter if it is your ISP's. By
the way, when you are at a hotel, the hotel happens to be your ISP.
Would you trust them?
One of the beautiful things about DNSSEC I particularly like, and keep
repeating is that it exposes broken DNS implementations. While I don't
underestimate the laziness of various vendors, at some point of time it
will force more and more parties to fix their misbehaving -- or invent
other ways for to control things..
About the only vulnerable thing in DNSSEC is the root zone key. If you
trust your OS vendor, and you apparently do, because you run your
application in their OS, and believe what it decides to display for you
-- there are no reasons to not trust a DNSSEC aware resolved imbedded in
your device's OS and the root key the vendor has put in there for you.
Is the processing power or software complexity required to handle DNSSEC
aware DNS resolver higher than the processing power and software
complexity required to handle TCP/IP? If not -- blame lazy programmers
for not embedding this already in your favorite OS. It looks so much
easier to offload the task to somebody else :)
I like very much Paul's idea of returning the chain of trust together
with the response. That would eliminate much of the round trip
overhead.. Even if this is tactical step, will be much appreciated.
More information about the Dnssec-deployment