This is a discussion on RE: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/Aissue.) - DNS ; --On Monday, December 04, 2006 20:56:25 -0800 "Hallam-Baker, Phillip" wrote: > Rarely from securing an existing infrastructure. > > Don't expect the existing uses of DNS to drive deployment of the DNSSEC > infrastructure. It can only serve those needs ...
--On Monday, December 04, 2006 20:56:25 -0800 "Hallam-Baker, Phillip"
> Rarely from securing an existing infrastructure.
> Don't expect the existing uses of DNS to drive deployment of the DNSSEC
> infrastructure. It can only serve those needs after the infrastructure is
> almost complete.
I'm not sure whether this is the same point Phil is making, but inc ase
not, it seems to me the RoI argument is like expecting positive RoI on the
deployment of the first telephone. From a resolver's point of view,
deployment is not going to be particularly useful until there are a number
of authorative servers with secure data to look up; and from an authorative
server's point of view, deployment isn't particularly useful until there
are a number of secure resolvers who know what to do with the data. Whilst
the above is true, I am also hoping it's so blindlingly obvious (being
equally true for most other end-to-end protocols) that people realized it
15 years ago (*).
As far as "no demand for DNSSEC" is concerned, I think it is fair to say I
have not yet driven through parliament square in London only to be slowed
by hordes of protesters carrying banners saying "what to do want? DNSSEC.
when do we want it? Now. Well, as soon as a reasonable deployment plan can
be worked out". However, I do recall going to a meeting a couple of months
ago attended by (amongst others) by one parliamentarian, and a
representative from the UK Department of Trade and Industry, and being
slightly surprised they where perfectly aware of the possibility of various
DNS-related attacks (no doubt discovered through background reasearch for
other Phishing attacks) and that DNSSEC solved most of them. I suspect that
signifies demand. And I suspect major registries aren't spending time
contributing to drafts simply to keep their staff busy...
(*) = I'm afraid I got a bit lost with the argument that
suggested "can't we validate at the caching resolver instead,
that way we don't have to wait for end users to upgrade". Firstly,
didn't we discover the painful way that middle-boxes are often the
last thing to be upgraded (think about new RR-types and firewalls, etc)?
Secondly, to get proper security functionality out of DNSSEC, doesn't
the end user app need to be upgraded? Or there can be no way it
can distinguish between a signed A record and an unsigned one (let
alone between secure denial and insecure denial); unless I'm missing
something vital, that's pretty much equivalent to no security (sure
the cache itself may be more resistant to some attacks, but we have
plenty of end-user machine attacks now).
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.