To:
dnssec@cafax.se
Cc:
lewis@tislabs.com
From:
Edward Lewis <lewis@tislabs.com>
Date:
Wed, 11 Apr 2001 15:21:11 -0400
Delivery-Date:
Thu Apr 12 09:12:11 2001
Sender:
owner-dnssec@cafax.se
Subject:
lwresd, tsig, and caching
Recently I visited with the nice folks at Nominum to catch up on DNSSEC in
BIND. One of the topics that arose was the role of the lwresd. To start
with, here are some observations:
1) During the make of BIND - there is "ln named lwresd" (more or less)
lwresd is basically a copy of named - but reads a different config file.
2) TSIG has been a sticking point when it comes to using it in general
queries and responses - where does one store a publically available
secret on a multi-user machine?
3) For years now, stub resolvers at a site "pointed" to a recursive server
to get data, this helped cut down on Internet traffic as the local server
only did one lookup for potentially many clients.
The new "architecture" of the BIND distribution is to bascially have a
lwresd on each machine instead of a stub resolver. Since most of the work
in a name server is the resolver, lwresd is basically a copy of named.
"lwresd" means lightweight-resolver-daemon, but this is a slight misnomer.
The daemon is not lightweight, the protocol accessing it is.
The lwresd is designed to be used a forwarding server. All queries will be
forwarded on to the "legacy" recursive name server as before. This saves
the Internet undue lookups.
The question that arises is the role of this and DNSSEC.
One set up could be that an application would issue a lwresd call across
localhost to the daemon - without any reference to TSIG or trusted-keys.
The daemon would then forward the query to the recursive server. The
option here is whether this is done by TSIG (which is no longer publically
needed on the client machine) or with a set of trusted keys.
The recursive server would do the regular work of building an answer. The
option is whether the answer is cryptographically checked (ad on reply) or
not (cd on query). Part of this will depend on whether the lwresd plans to
do its own checking or uses TSIG. Keep in mind that the lwresd machine may
have more or different trusted keys than the recursive server.
So...anyone have opinions on this:
A
app client<--------------->lwresd<------------->recursive server
localhost w/keys, no TSIG looks up +cd
crypto check here
B
app client<--------------->lwresd<------------->recursive server
localhost TSIG looks up and checks
crypto check here
What about feelings that "localhost" is trusted? Is it true that if
localhost is compromised, you have bigger problems than a volnerable DNS?
What about apps that want to be involved in the security of the DNS lookups
- they would like to display the security of the answer, or say, specify a
secured TSIG/server to use inspite of configured servers. (As could be the
case with the IETF terminal room & DHCP.)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis NAI Labs
Phone: +1 443-259-2352 Email: lewis@tislabs.com
Dilbert is an optimist.
Opinions expressed are property of my evil twin, not my employer.