[Dnssec-deployment] DNSSEC aware recursive name servers

Daniel Kalchev daniel at digsys.bg
Mon Aug 8 10:40:45 EDT 2011 

Very interesting topic, glad it has risen again.

For the past 20+ years, I have always wondered why the DNS is designed 
in such a "mainframe-centric" way. It has never required any significant 
traffic or processing to warrant non-commodity hardware. About the only 
reason I could imagine is control. And that control, as we can see 
everywhere is already abused almost everywhere.

(yes, unfortunately my political predictions almost always happen and 
no, I am not interested)

For me, DNSSEC makes any sense only if implemented at the end Internet 
device -- the device talking TCP/IP with the world. The value of DNSSEC 
is the ability to verify you get what you asked for. This means you 
cannot trust any external resolver. No matter if it is your ISP's. By 
the way, when you are at a hotel, the hotel happens to be your ISP. 
Would you trust them?

One of the beautiful things about DNSSEC I particularly like, and keep 
repeating is that it exposes broken DNS implementations. While I don't 
underestimate the laziness of various vendors, at some point of time it 
will force more and more parties to fix their misbehaving -- or invent 
other ways for to control things..

About the only vulnerable thing in DNSSEC is the root zone key. If you 
trust your OS vendor, and you apparently do, because you run your 
application in their OS, and believe what it decides to display for you 
-- there are no reasons to not trust a DNSSEC aware resolved imbedded in 
your device's OS and the root key the vendor has put in there for you. 
Is the processing power or software complexity required to handle DNSSEC 
aware DNS resolver higher than the processing power and software 
complexity required to handle TCP/IP? If not -- blame lazy programmers 
for not embedding this already in your favorite OS. It looks so much 
easier to offload the task to somebody else :)

I like very much Paul's idea of returning the chain of trust together 
with the response. That would eliminate much of the round trip 
overhead.. Even if this is tactical step, will be much appreciated.

Daniel

More information about the Dnssec-deployment mailing list