hat tip to .gov hostmasters

Keith Medcalf kmedcalf at dessus.com
Mon Sep 22 10:49:50 CDT 2008

> > That would defeat the entire purpose of using DNSSEC.  In order for
> >DNSSEC to actually provide any improvement in security whatsoever,
> >the ROOT ZONE (.) needs to be signed, and every delegation up the
> >chain needs to be signed.  And EVERY resolver (whether recursive or
> >local on host) needs to understand and enforce DNSSEC.

> Either the resolver needs to enforce, or the host.  It's not necessary
> to do both.  It's also not strictly necessary that the root is signed,
> provided that there is some way to manage the trust anchors (either
> through software updates, like it is done for the browser CA list, or
> through regular DNS management at the ISP resolver).

> > If even one delegation is unsigned or even one resolver does not
> > enforce DNSSEC, then, from an actual security perspective, you will
> > be far worse off than you are now.

> Why?

If the local resolver does not perform DNSSEC validation, then I cannot validate that the response is correct.  I certainly do not trust anyone else to verify that the information is correct and then, without any possible verification, simply believe that the third party did the validation.  In fact, I have no way of knowing that the response even came from the "ISP" at all unless the client resolver supports DNSSEC.

Just because YOU check the digital signature on an email and forward that email to me (either with or without the signature data), if I do not have the capability to verify the signature myself, I sure as hell am not going to trust your mere say-so that the signature is valid!

If I cannot authenticate the data myself, then it is simply untrusted and untrustworthy -- exactly the same as it is now.

The real problem is that the clueless (with a hidden self-aggrandizing and a primary motive of "lining my pockets with other peoples money" will convince the ignorant that it is more secure.  Sort of like banning toothpaste from carry-on baggage "impoves" the security of air travel, when in fact it does nothing more than help the idiots in charge of promulgating such polies to rip off (rob) other people of their money by deliberate fraud and misrepresentation.

> > Until such time as EVERY SINGLE DOMAIN including the root is signed
> > and every single DNS Server and resolver (including the local host
> > resolvers) understand and enforce DNSSEC you should realize that
> > DNSSEC does nothing for you whatsoever except give the uneducated a
> > false sense of "security".

> DNSSEC is totally invisible to the end user.  There won't be any
> browser icon that says "it's okay to enter your PII here because the
> zone is DNSSEC-signed".  It's purely an infrastructure measure, like
> physically securing your routers.

The end-stage is secure only if at that stage you also set all DNS infrastructure to refuse to talk to any DNS client/server/resolver that DOES NOT validate and enforce DNSSEC.  Up until that point in time, there is NO CHANGE in the security posture from what we have today with no DNSSEC whatsoever.

To hold forth otherwise is to participate in deliberate fraud and misrepresentation of material facts.

More information about the NANOG mailing list