Re: dnssec discussion today at noon

[Derek Atkins <warlord@MIT.EDU>]

"Hallam-Baker, Phillip" <pbaker@verisign.com> writes:

> More importantly, examine those deployments and ask yourself 
> where the trust boundaries are situated. If I relay a request
> through DNS server X then I probably do so because I trust
> that service in some sense. If I don't trust the service I 
> am going to bypass it and chain directly to authoritative 
> services that I do trust.

You have clearly never been to an hotel where their Internet services
intercept all DNS queries regardless of where you send the message...
You cannot trust the infrastructure not to misbehave.  In fact just
the other day I was hit with a DNS re-write attack where my ISP (an
airport) re-wrote all my DNS queries to something of their choosing
(their goal being to force me to read their webpage, but it caused ssh
to fail until I figured that out).

> While transitive authentication is a nice feature of digital
> signatures I do not see that feature as being essential in this
> particular case.

Well, sure, if you have TSIG and use that, then you dont necessarily
need public key crypto to the end user.  However then you are still
trusting the path between your TSIG peer and the authoritative server.

> I think that a situation in which a client has a secure 
> connection to a DNS server which has a secure connection to
> certain often used DNS servers is a significant step forward
> in security from where we are.

In fact, ANY secure connection is better than where we are... Using
TSIG would be better than where we are.  However I run a local caching
nameserver on my laptop, so TSIG doesn't help me, as my resolver and
"trusted nameserver" co-exist.  I still need DNSSEC.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available