On Apr 23, 2009, at 1:11 PM, John Schnizlein wrote:
My guess is that the solutions for updating (end) host software will get trustworthy enough to be used for DNSSEC trust anchors, and the validation will end up in the (end) host. Until the host OS manufacturers realize this is worth their while, validation in hand- crafted recursive resolvers can get things started.
Every current O.S. out there (Windows, Mac OS X, Redhat, Ubuntu, etc) already has a trust anchor model, which they use to validate updates. So the trust anchor problem is already, to a great extent, solved. It's true that a determined on-path attacker could prevent a particular end host from getting the updates that would allow them to validate DNSSEC responses if they installed from old media. But in practice this problem is already solved, not only by automatic update systems, but also by browser vendors.
What remains to be secured is the initial phase of the install media distribution process. We really ought to solve it *before* malware authors start to get serious about attacking it. But once you have an install that has valid trust anchor keys in the software update system, you do have a secure way to bootstrap DNSSEC (or at least securely fail to bootstrap DNSSEC), even if the DNSSEC trust anchor that came with your install media has expired.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
