
Root DNS Zone Now DNSSEC Signed - jf
http://www.isc.org/press-release/isc-praises-momentous-step-forward-securing-domain-name-system
======
tptacek
Did you know that DNSSEC isn't designed to protect the DNS queries your laptop
generates? Your laptop uses a "stub resolver" to talk to a real DNS cache, and
there is _another_ protocol that nobody will ever use that's intended to
protect that traffic.

Did you know that they designed DNSSEC in a way that makes it difficult to not
dump all your hostnames to the public, 'host -l' style? In order to provide a
non-repudiable "no such host" message, they made DNS zones walkable. When
people freaked out about that (justifiably so!), they modified the protocol so
that names are hashed, password-file-style --- and are password-file-style
crackable.

Did you know that because almost every piece of software that does name
lookups uses "gethostbyname()", which provides no error channel, DNSSEC can't
even give you a scary popup when a key expires or something is misconfigured?
That unlike SSL --- which causes millions of such popups every day --- DNSSEC
basically implies that either everything's configured 100% perfect or... that
host doesn't exist?

Did you know that SSL/HTTPS in no way relies on a secure DNS today? That all
that certificate signature stuff that people complain about boils down to a
system designed to work even if the DNS is totally hostile and owned by
attackers? And that the system has been attacked and refined and basically
solid for something like 15 years?

Did you check out Dan Bernstein's presentation about using DNSSEC as a denial-
of-service amplifier? I leave it as an exercise for you to find out how many
megabytes of traffic you can get DNS servers to hurl at Twitter in response to
just a few packets of your own.

DNSSEC is a debacle. It's been scrapped and redesigned (I believe) three times
now, from the days in the 90s when it was a government project to the
"whitelies" and "NSEC3" scramble that happened just a few years ago when they
tried to deploy the "everyone gets a list of everyone else's hosts" design.

What's worse, we don't need it. DNS has been insecure for over 15 years, and
DNS is not a primary attack vector on the Internet. When DNS is part of a
malware attack, more often than not it's because the malware has reconfigured
the victim host, which DNSSEC can't do anything about.

What's worse than that is that the bit we really could stand to address ---
the insecure connections between end user computers and DNS servers --- could
have been secured at far less cost and drama than the cache-to-authority
problem the DNSSEC group bit off. But wasn't.

There seems to be some momentum behind finally getting DNSSEC deployed. I
think it's actually bad for the Internet; that it will cause reliability
problems, create a huge amount of work for server admins, not solve any real-
world security problem, and create a false sense of security. But be that as
it may, it appears to be coming.

Just make sure nobody gets your credit card for any kind of DNSSEC-y service.
That's, I guess, my advice.

~~~
soult
I agree with you at most points, just two things:

a) SSL is worth jack shit. It only tells me that some person paid some
obscenely large sum of money to some company so that my address bar glows in
green. CAs do a very bad job at verifying their customers. There have been
valid certificates at pishing sites and valid certificates with fake data.

DNSSEC wont't fix that. But it will guarantee that when I type
bankofamerica.com in my browser, I will land at bankofamerica.com, even if
someone tries to hijack me.

b) We do need DNSSEC. Please go and watch Dan Kaminsky's talk about the
ramifications of the DNS bug he publicized. Everything in the end falls back
to DNS. Want a SSL cert? You will receive it per mail. Guess how the CAs mail
server will find your company's mail server...

c) Please don't start with "secure the connection" instead of "secure the
data". Even if I know that the line between my computer and my DNS server is
secure, I can't trust my DNS server.

~~~
maw
_a) SSL is worth jack shit. It only tells me that some person paid some
obscenely large sum of money to some company so that my address bar glows in
green. CAs do a very bad job at verifying their customers. There have been
valid certificates at pishing sites and valid certificates with fake data._

I agree here, except I think you meant to say that SSL _certs_ are worth jack.
And that's entirely true, as far as I know. SSL the protocol is probably more
or less ok.

I disagree with you in that I don't trust the competence of the designers of
DNSSEC. We may need something similar, but I doubt that DNSSEC as it exists
today is it.

~~~
tptacek
Anybody who tells you that "SSL the protocol is fine, just ignore the
signatures" isn't qualified to have an opinion about the relative security of
crypto protocols. Without certificates, SSL offers no security.

~~~
maw
Sigh. Go reread, but here's a hint: the main problem with SSL certs is not
their technical implementation.

------
jf
See also:

<http://data.iana.org/root-anchors/>

[http://arstechnica.com/security/news/2010/07/dns-root-
zone-f...](http://arstechnica.com/security/news/2010/07/dns-root-zone-finally-
signed-but-security-battle-not-over.ars)

<http://www.root-dnssec.org/>

------
andrewtj
I'm going to continue ignoring DNSSEC until I see it affect clients in a
meaningful way. Until then I think there is other things my users would prefer
I spent my time on.

~~~
djcapelis
The entire point of this story is that until this week your clients couldn't
have used it even if they wanted to and _that_ _changed_.

I'm not saying you have to go running off and caring about DNSSEC now, but the
kneejerk "omg it's not deployed" argument really isn't helpful or insightful
attached to a story about how it just finished getting deployed for real on
the roots finally after years of waiting.

~~~
andrewtj
Your reading of my post as "omg it's not deployed" is an unwarranted
exaggeration. I merely stated that for me, someone who maintains a from the
wire-up DNS implementation, this baby-step doesn't change anything practical —
which is something you've agreed with.

EDIT:

It goes without saying but I'll state it anyway, this cascade of down-votes is
not the reaction I'd expect for making what I consider to be a pretty
innocuous comment about something that potentially affects the priorities of
my startup.

~~~
djcapelis

      It goes without saying but I'll state it anyway, this 
      cascade of down-votes is not the reaction I'd expect for 
      making what I consider to be a pretty innocuous comment 
      about something that potentially affects the priorities of 
      my startup
    

It's probably a reaction to your advocacy for ignorance at the expense of a
story marking an important milestone in DNS's capabilities.

If you insist on not caring, do so quietly. Some people around here are trying
to fix things, or break them, which hopefully will result in better systems.
In any case, you appear to be doing neither.

(As a side note, your assertion that I agree that this doesn't change anything
practical is false, as of yesterday people can resolve domains over DNSSEC,
that wasn't true last week. I consider this a practical change. I'm not a big
fan of DNSSEC as a protocol, but this is a big deal(tm).)

~~~
andrewtj
_as of yesterday people can resolve domains over DNSSEC_

People can resolve the root over DNSSEC. This is a milestone, but it's one to
be followed by many, many more before it affects clients.

~~~
djcapelis
No, some TLDs have already signed their zones. Some people are able to use
DNSSEC _today_.

isc.org appears to be using it already, for instance.

Edit:

    
    
      $ whois isc.org | grep DNSSEC
      DNSSEC:Signed

~~~
andrewtj
Regarding TLDs, you're again intimating that I have said something that I have
not said.

I do not dispute that some people are able to use DNSSEC and this does not
belie my original comment.

~~~
djcapelis
Last week: No one could use DNSSEC. No one did. No one was affected.

Today: Many people _can_ use DNSSEC. Some actually are. Some clients are
affected. (Just obviously not yours, since you remain completely uncaring
about the subject.)

I don't see how it could be any clearer.

~~~
andrewtj
Your assessment of what constitutes "many people" and mine clearly differs.

You are quite right that my clients are unaffected. I like most of the world
run a mix of Windows and OS X which like the software that runs on top of
them, are not DNSSEC aware (with few exceptions).

Clearly I do care about the subject and I'm not sure why you keep stating that
I do not. There is a difference between ignoring a technology until it's
useful and ignoring it full-stop.

EDIT: Edited for brevity.

