Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?

Thu Jul 24 15:40:40 UTC 2008

> 
> On 24 Jul 2008, at 10:56, Joe Greco wrote:
> 
> > MY move?  Fine.  You asked for it.  Had I your clout, I would have  
> > used
> > this opportunity to convince all these new agencies that the  
> > security of
> > the Internet was at risk, and that getting past the "who holds the  
> > keys"
> > for the root zone should be dealt with at a later date.  Get the root
> > signed and secured.
> 
> Even if that was done today, there would still be a risk of cache  
> poisoning for months and years to come.
> 
> You're confusing the short-term and the long-term measures, here.

No, I'm not.  I did say that the other fix could be implemented regardless.
However, since it is at best only a band-aid, it should be treated and
understood as such, rather than misinforming people into thinking that
their nameservers are "not vulnerable" once they've applied it.

So I'm not the confused party.  There are certainly a lot of confused
parties out there who believe they have servers that are not vulnerable.

> > Get the GTLD's signed and secured.
> 
> I encourage you to read some of the paper trail involved with getting  
> ORG signed, something that the current roadmap still doesn't  
> accommodate for the general population of child zones until 2010. It  
> might be illuminating.

You know, I've been watching this DNSSEC thing for *years*.  I don't need
to read any more paper trail.  There was no truly good excuse for this not
to have been done years ago.

> Even once everything is signed and working well to the zones that  
> registries are publishing, we need to wait for registrars to offer  
> DNSSEC key management to their customers.
> 
> Even once registrars are equipped, we need people who actually host  
> customer zones to sign them, and to acquire operational competence  
> required to do so well.
> 
> And even after all this is done, we need a noticeable proportion of  
> the world's caching resolvers to turn on validation, and to keep  
> validation turned on even though the helpdesk phone is ringing off the  
> hook because the people who host the zones your customers are trying  
> to use haven't quite got the hang of DNSSEC yet, and their signatures  
> have all expired.
> 
> Compared with the problem of global DNSSEC deployment, getting  
> everybody in the world to patch their resolvers looks easy.

Of course.  That's why I said that deploying this patch was something that
could be done *too*.

The point, however, was contained in my earlier message.

You can only cry "wolf" so many times before a lot of people stop 
listening.  Various evidence over the years leads me to believe that
this is any number greater than one time.

The point is that I believe the thing to do would have been to use this 
as a giant push for "DNSSEC Now!  No More Excuses!"

As it stands, there will likely be another exploit discovered in a year, 
or five years, or whatever, which is intimately related to this attack, 
and which DNSSEC would have solved.

I don't particularly care to hear excuses about why DNSSEC is {a failure,
impractical, can't be deployed, hasn't been deployed, won't be deployed,
isn't a solution, isn't useful, etc} because I've probably heard them all
before.  We should either embrace DNSSEC, or we should simply admit that
this is one of the many problems we just don't really care to fix for real.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.