[dns-wg] What about the last mile, was: getting DNSSEC deployed
Lutz Donnerhacke lutz at iks-jena.de
Fri Feb 16 10:20:09 CET 2007
* Roy Arends wrote: > Lutz Donnerhacke wrote on 02/16/2007 09:24:33 AM: >> You can run a caching validating on your own system. > > Isn't that what I was saying ? I just don't want to do all the recursion. > My ISP's resolver can do that. So use it for this. > not really. I can also validate on a stub resolver. I wouldn't call this "stub". A stub resolver is a protocol translator: It offers an well known API to well known protocol. It does nothing more of the protocol itself. >> Following this proposal in the blog, DNSSEC is dead. > > Tell me Lutz, how does joe end user run a full featured validating > resolver daemon, when he barely understand the concept of DNS. The end user has a stub resolver pointing to a trustwothy validating one. It's this plain simple. If you want to break this behavior, DNSSEC is dead. > If he shouldn't run this, how does he setup "a established link to an > authenticated resolver". You're not really referring to just an bunch of > addresses in some resolv.conf or equivalent, since thats hardly an > established link. The ISP's resolver hardly knows who's talking to it. I'm responsible for DNS at an ISP: The ISP's resolver know who queries it. > Now, lets assume for a sec we don't run into scaling issues, since the > "authenticated resolver" needs to do some crypto for the "established > link", while doing some crypto to validate messages. DNSSEC validating on a larger resolver does scale well, because - that's the important observation I made - a lot of queries can be answered from cached NSEC records without querying further. The whole bunch of NXDOMAIN dropped by about 70% here. Crypto is cheap compared to networking. > Why should I trust data, validated by my ISP? Because you choose him to do so. > Them ISPs route me to a search page, while I should've received an > NXDOMAIN. but, no fear, the 'ad' bit is set, and I can just blindly trust > my ISP, while they're cashing (no typo) in on my unfortunate > misspellings. If you do not trust your ISP, you need an other one or you won validating protocols i.e. VPN to a trustwothy point. DNSSEC for end users is not a security issue, it's a deployment issue.
[ dns-wg Archives ]