On Aug 10, 2008, at 5:51 AM, Andras Salamon wrote:
An alternative was proposed by Masataka Ohta around 1995. It did not progress, but maybe it is time to trawl the archives and revisit it?
Paul's comment (the first of the three articles you quoted) implies that secure NXDOMAIN is not a feature of Ohta-san's proposal. That seems like a bit of a problem, because fake domains are definitely a useful phishing tool.
On the other hand, the comment from Masataka Ohta was: the real problem of DNSSEC is that it is merely weakly secure
What Ohta-san is saying here (and I hope he will forgive me and explain if I get it wrong) is that DNSSEC's security depends on the people managing the name servers in the hierarchy down to the zone whose security I am validating. So if one of those people is untrustworthy, the contents of a zone can be faked.
This is true. However, it's also the way security works. In order to have more security than this, I would need to have trust anchors for every zone I really cared about - this would enable me to avoid placing trust in the hierarchy. In some situations this might be a very good idea. In practice, though, in many (most) situations it would be too much work. In any case, if you want to do this, it can be done with DNSSEC today.
Remember who you are trusting: the people who operate the root zone, and the people who operate the TLDs. So in order for you to get a forged result, at least the TLD for the zone you're looking up would have to be compromised. And it would have to be compromised by someone with access to the key. Possible, certainly, but expensive.
What DNSSEC gets you in this case is two things: one, it increases the cost of forging DNS info *substantially*. This is a good thing - nothing is ever perfectly secure; what you want is for a thing to be sufficiently secure that what you gain from breaking the security is less than what you spent breaking it.
The other thing it gives you is a responsible party to sue in the event that something goes wrong. This is probably why the TLDs are reluctant to sign their zones. But it's how business is done.
It's definitely a good idea to make sure that the security of the zone has as little value as possible. So it can solve the problem we're all hot about right now. But it can't replace SSL certs. If the DNS replaced SSL certs, cracking zone operators would be worth a *lot* of money, much more than simply being able to forge an A record. We don't want that, and that's why putting that kind of key in the DNS is a bad idea (IMHO).
so suggesting that a fundamental rethink is necessary.
One thing to keep in mind when you talk about fundamental rethinks is that despite the fact that there is nobody who would say that DNSSEC is pretty, DNSSEC is what we have after a very long effort to produce a solution to this very problem.
Now, it could be that all the people involved are stupid, or that politics derailed the process and that's why we have the solution we have and not some other imagined solution that we don't have that would have better properties, or be easier to operate, or safer, or whatever.
But in all likelihood the reason we are where we are has more to do with the fact that securing the DNS is a hard problem. So when you talk about a fundamental rethink, what you are proposing is that we start from scratch and try to come up with something that took a decade to come up with in the first place. We've learned a lot in the process of coming up with DNSSEC, so it probably wouldn't take a decade to do this rethink. But it would still take a very long time. And we have no guarantee that the output of the process would be preferable to what we have now. And many reasons to think it would not.
A bird in the hand is worth two in the bush. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
