To:
Edward Lewis <lewis@tislabs.com>, dnssec@cafax.se
From:
ted@tednet.nl (Ted Lindgreen)
Date:
Thu, 12 Apr 2001 17:25:24 +0200
Delivery-Date:
Fri Apr 13 08:55:29 2001
In-Reply-To:
"Edward Lewis's message as of Apr 11, 20:23"
Reply-To:
Ted.Lindgreen@tednet.nl
Sender:
owner-dnssec@cafax.se
Subject:
Re: lwresd, tsig, and caching
[Quoting Edward Lewis, on Apr 11, 20:23, in "lwresd, tsig, and ca ..."]
> Recently I visited with the nice folks at Nominum to catch up on DNSSEC in
> BIND. One of the topics that arose was the role of the lwresd ...
> ...
Very interesting, thanks for sharing this with us!
Now for opinions:
> A
> app client<--------------->lwresd<------------->recursive server
> localhost w/keys, no TSIG looks up +cd
> crypto check here
> B
> app client<--------------->lwresd<------------->recursive server
> localhost TSIG looks up and checks
> crypto check here
>
> What about feelings that "localhost" is trusted? Is it true that if
> localhost is compromised, you have bigger problems than a volnerable DNS?
I guess it helps to give an opinion on the second question first:
Yes, you have bigger problem if you can not trust localhost. because
even when you secure the "app <--localhost-->lwresd" communication
with another TSIG, your hacked "lwresd" can answer whatever it wishes.
Now, with this out of the way, we can simplify the picture above:
A
app host <------------------> recursive server
no TSIG, +cd
pre-conf keys
crypto check
B
app host <------------------> recursive server
TSIG
trusts ad pre-conf keys
crypto check
I guess, there will be a third and fourth one also:
C
app host <------------------> recursive server
no TSIG
hopes ad can pre-conf keys
can be trusted crypto check
D
app host <------------------> recursive server
yes/no TSIG
pre-conf keys pre-conf keys
crypto check crypto check
My guess is that all 4 will happen:
A
The really concerned user, capable enough to setup and maintain
his/her own security setup. Hopefully this will not be to many
users, because it may increase DNS load, especially if badly
setup.
B
Corporate and other selected user groups, that can rely on a
capable system administration, who sets up and maintains secure
recursive servers, and provides the users with TSIG.
C
The overly majority of random Internet users not being nursed by a
capable system administration, perhaps concerned, but not concerned
enough and/or not capable enough to go to catagory A above.
These people have little choice than to trust a well-known to be
good administred DNS forwarder, probably the one of their
(expensive) ISP. This may not be too bad, because of the
existance of catagory D below.
D
The "Internet Cops", perhaps professional or self-a pointed, to
check that the " good administred DNS forwarder" are really doing
their job properly and raise hell when not.
Now back to a local "lwresd": for the catagories A and D everyone
would really benefit from a solid local daemonprocess to check
and chase and, even more important, cache these results.
I'm not sure if B needs it (I guess TSIG can be added fairly easy
to a stub resolver?), and clearly C keeps using their simple
stub resolvers.
Regards,
-- Ted.