[dns-wg] What about the last mile, was: getting DNSSEC deployed
Lutz Donnerhacke lutz at iks-jena.de
Fri Feb 16 11:40:14 CET 2007
* Roy Arends wrote: > explain to me how DNSSEC is dead by doing validation on a stub resolver. You can't update the installed base quick enought to gain the benefits of DNSSEC. If the recursing resolvers do not validate, the whole DNSSEC effect is going to zero. You will find about 100000 validating resolvers at end user sites and nobody will sign a zone for this group of geeks. >> I'm responsible for DNS at an ISP: The ISP's resolver know who queries >> it. > > So, what do you offer to your clients? SIG(0), TSIG, DTLS, some VPN method? Internet Access over our own infrastructure. If you are coming from extern, you have to use TSIG. > How many clients have configured that? The larger customers. It's about 20000 end users. We do not sell internet access to private users. > And with 'who queries it', you probably mean that you have some list in > place somewhere that discriminates on ip. Note that I can simply passive > query your resolver box. You wouldn't even know it is me. I can't see your point here. > I find those last two statements highly unlikely, but for argument sake, > multiply this by cost(crypto(lastmile))*count(users). I do not see the need for crypto on the last mile. >> > Why should I trust data, validated by my ISP? >> >> Because you choose him to do so. > > Eh? No, I rely on it to bring me the data. I'll validate it myself, thank > you very much. You are a geek. But you spoke about end users. And they trust their ISP for the data they received from him. You are still free to do the validation yourself. >> If you do not trust your ISP, you need an other one or you won >> validating protocols i.e. VPN to a trustwothy point. > > "trust" is not a binary concept. You need to relate trust to a service, > and then still, it comes in degrees. IBTD, but this is a useless discussion. > I trust my ISP to keep my link alive and to have proper peering in place. > I _could_ trust my ISP to serve me the right data, but that would only be > the right data in their perspective, wouldn't it, and that might not match > mine. For the joe end user, there is no difference. >> DNSSEC for end users is not a security issue, it's a deployment issue. > > Eh? Exactly. Turn on validation on the recursing servers and you are done. > DNSSEC is security backfitted on a widely deployed protocol. This has > deployment issues in general. Pushing deployment (incl. key management) to the end users is the wrong way.
[ dns-wg Archives ]