hat tip to .gov hostmasters

Robert Bonomi bonomi at mail.r-bonomi.com
Mon Sep 22 13:21:49 CDT 2008

> Subject: RE: hat tip to .gov hostmasters
> Date: Mon, 22 Sep 2008 11:49:50 -0400
> From: "Keith Medcalf" <kmedcalf at dessus.com>
> If I cannot authenticate the data myself, then it is simply untrusted and u=
> ntrustworthy -- exactly the same as it is now.

"Speak for yourself, John" applies.

In the real world, there are cases where data that one is unable to 
authenticate by ones self *is* treated as fully trusted.  Because someone
with the authority to declare it to be that, by fiat, has done so.

There may be a common "chain of command", and someone higher in the chain
has declared that various inferiors "shall"(i.e. 'must') trust the work
of other inferiors within the organization, for example.

Or, it may be a contractually-delegated trust.

Or, any of a number of other possibilities.

Admittedly, in any of those scenarios, the 'strength' of trust is somewhat
weaker than if it was self-verified, but it _is_ "far above" your claim of
'untrusted and untrustworthy'.

> The end-stage is secure only if at that stage you also set all DNS infrastr=
> ucture to refuse to talk to any DNS client/server/resolver that DOES NOT va=
> lidate and enforce DNSSEC.  Up until that point in time, there is NO CHANGE=
>  in the security posture from what we have today with no DNSSEC whatsoever.


One does not have a _guarantee_ of 'accurate' data without end-to-end 
enforcement, this is true.

Even _with_ end-to-end DNSSEC enforcement, one does not have such a guarantee.

All it accomplishes is to make the insertion of bogus data harder.  Not 
'impossible', just 'harder'.

If a local non-DNSSEC resolver consults _only_ a DNSSEC-aware server on an 
immediately adjacent network, it takes only a moderate 'extension of trust'
to  (a) the local network operator, (b) the adjacent network operator, and
(c) the DNSSEC-aware server operator, to have a "reasonable degree" of 
trust in the accuracy of the data the local reslover has.  This 'trust'
involves the physical integrity of the networks -- that a host on -those-
networks will not be allowed to spoof a source address of the DNSSEC-aware
server; and the use of ingress-filtering on _source_ addresses -- to prevent
any 'external' network/machine from spoofing it either.  Beyond that, it is
just a matter of 'trusting' a proper implementation on the server itself.

_IF_ the anti-spoofing provisions are in place, and 'downstream' (non-aware)
DNS resolvers (which consult -only- the 'aware' server) are under the same 
administrative control as the DNSSEC-aware one, *THEN* there is zero effective 
difference in the trust level for an answer obtained from the 'non-aware'
system as one obtained from the 'aware' one.

> To hold forth otherwise is to participate in deliberate fraud and misrepres=
> entation of material facts.

This really sounds like someone who has a financial interest in promulgating
FUD.  <grin>

More information about the NANOG mailing list