To:
dnssec@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Tue, 11 May 2004 10:04:53 -0400
In-Reply-To:
Message from Miek Gieben <miekg@atoom.net> of "Tue, 11 May 2004 13:47:43 +0200." <20040511114743.GD18540@atoom.net>
Sender:
owner-dnssec@cafax.se
Subject:
Re: dnssec: resolver - application communication
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Miek" == Miek Gieben <miekg@atoom.net> writes:
Miek> Ad 2: Some applications and end-users will want to do their
Miek> own validation. They want to be sure to talk with the right
Miek> party, for instance when doing on-line shopping or banking, or
Miek> use the DNS to exchange IPsec or SSH key information.
Miek> For those applications, security is mandatory, or the "it's
Miek> only OK, when it's OK" principle: if the the validation checks
Miek> out, it's OK, if not, the info is unusable. It does not matter
Not true.
Consider the case of SSH (or an IPsec with SSH-like cachine of keys).
If one has cached the server's key already on disk, then the
request to DNS for the key is ONLY because one wants to know if the key
has *officially* changed.
As such, a RR with an expired signature for a SSHKEY RR that matches
what is on disk is acceptable. A warning should be emitted, but that is
all. Someone has screwed up, but we can work around it.
On the other hand, a RR set that goes from signed to unsigned or fails
verification is a symptom of tampering.
{ Of the intrusions that I've discovered, 70% of them were discovered
because the rootkit installed its own SSH host key! }
Miek> Ad 3: David has a valid point in that you can use CD=1 and
Miek> query your forwarder to debug. However if your forwarder is
Miek> malicious this won't help. I believe we also need to develop
Miek> debugging tools that go after the authoritative servers
Miek> directly.
I'm not concerned about the co-located forwarder being malicious.
The key thing is that I want to avoid doing the work (and debugging
the code) in multiple places. I just want information for the
admin/audit-log, not for independant verification.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQKDdg4qHRg3pndX9AQFOoQP/a9tLBO6sD9LqE11UCrPYd3sTwSyKTwVq
WKUCd2Tdu/LSWKTPdyfkDXHnrySX6nk0xhmRdLwMvFlqSRHYt1pZ56gfxaJPl1lJ
+3HSfmYsDcUKSHYpXf9IIBEYkx6zqe8717zUYxbyta1rk1PtdZxrO5wcXFfVgmZL
J37zDpQHQOQ=
=0n63
-----END PGP SIGNATURE-----