|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Mon, 22 Sep 2008 11:49:50 -0400 In-Reply-To: <82prmwjjgt.fsf@mid.bfk.de> From: "Keith Medcalf" <kmedcalf@dessus.com> To: "Florian Weimer" <fweimer@bfk.de> Cc: "nanog@nanog.org" <nanog@nanog.org> Errors-To: nanog-bounces@nanog.org > > That would defeat the entire purpose of using DNSSEC. In order for > >DNSSEC to actually provide any improvement in security whatsoever, > >the ROOT ZONE (.) needs to be signed, and every delegation up the > >chain needs to be signed. And EVERY resolver (whether recursive or > >local on host) needs to understand and enforce DNSSEC. > Either the resolver needs to enforce, or the host. It's not necessary > to do both. It's also not strictly necessary that the root is signed, > provided that there is some way to manage the trust anchors (either > through software updates, like it is done for the browser CA list, or > through regular DNS management at the ISP resolver). > > If even one delegation is unsigned or even one resolver does not > > enforce DNSSEC, then, from an actual security perspective, you will > > be far worse off than you are now. > Why? If the local resolver does not perform DNSSEC validation, then I cannot val= idate that the response is correct. I certainly do not trust anyone else t= o verify that the information is correct and then, without any possible ver= ification, simply believe that the third party did the validation. In fact= , I have no way of knowing that the response even came from the "ISP" at al= l unless the client resolver supports DNSSEC. Just because YOU check the digital signature on an email and forward that e= mail to me (either with or without the signature data), if I do not have th= e capability to verify the signature myself, I sure as hell am not going to= trust your mere say-so that the signature is valid! If I cannot authenticate the data myself, then it is simply untrusted and u= ntrustworthy -- exactly the same as it is now. The real problem is that the clueless (with a hidden self-aggrandizing and = a primary motive of "lining my pockets with other peoples money" will convi= nce the ignorant that it is more secure. Sort of like banning toothpaste f= rom carry-on baggage "impoves" the security of air travel, when in fact it = does nothing more than help the idiots in charge of promulgating such polie= s to rip off (rob) other people of their money by deliberate fraud and misr= epresentation. > > Until such time as EVERY SINGLE DOMAIN including the root is signed > > and every single DNS Server and resolver (including the local host > > resolvers) understand and enforce DNSSEC you should realize that > > DNSSEC does nothing for you whatsoever except give the uneducated a > > false sense of "security". > DNSSEC is totally invisible to the end user. There won't be any > browser icon that says "it's okay to enter your PII here because the > zone is DNSSEC-signed". It's purely an infrastructure measure, like > physically securing your routers. The end-stage is secure only if at that stage you also set all DNS infrastr= ucture to refuse to talk to any DNS client/server/resolver that DOES NOT va= lidate and enforce DNSSEC. Up until that point in time, there is NO CHANGE= in the security posture from what we have today with no DNSSEC whatsoever. To hold forth otherwise is to participate in deliberate fraud and misrepres= entation of material facts.
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |