[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DNSSEC for IPSEC?
Subject: Re: DNSSEC for IPSEC?
Date: Thu, 25 Jul 1996 01:30:49 -0700
> > * I am not confident of the security of the root servers.
> > What is the effect of root server key compromise or
> > the server itself?
>
> Signing of DNS records is designed to be performed
> offline. The input to signing is an ASCII zone file and a
> private key; the signing results in a new ASCII zone file,
> which includes the original DNS records, plus SIG
> records interspersed throughout.
>
> If one of the root zone's servers (there are half a dozen)
> is compromised, there is no issue. It will not be able to
> present authenticated bogus information, since the
> root zone's private key is held offline.
>
There is an issue. Storing the private key off-line is not
a deterrent: the mischievous person simply generates a
new key pair and re-signs the zone.
[ stuff deleted ]
> > * I believe that, for DNS records to be trustworthy, all
> > zones from the source zone to the root be verifiable. What
> > is the likelihood that will happen anytime soon? What is
> > "soon"?
>
> There are two parts of the answer. First, within
> organizations, verification need not go all the way to
> the root, just to the common ancestor of the
> communicating parties. yyy.tokyo.sun.com need not
> trust the root or COM when checking keys for
> zzz.scotland.sun.com, if it has been configured to know
> sun.com's public key in a config file. This will be useful
> in intra-nets and in bootstrapping the Internet. The use
> of "upward key signatures" can also make this easier to
> administer.
>
> I have spoken with representatives of most of the major
> NICs at IETF, as well as with Jon Postel who runs the root
> zone. They all indicated a willingness to sign records
> for their customers as soon as the software to do so was
> available. They, too, are interested in securing the
> infrastructure that they are paid to maintain :-).
>
> I believe that most high level zones will have keys and
> offer signatures before the end of this year.
>
The value of DNS-SEC is if everyone uses it. Until that
time, which may be a decade or more down the road,
resolvers are going to have to trust any response,
thereby reducing DNS-SEC's value to a simple checksum.
There is little sign current DNS problems are going to be
resolved any time too. For example, there are many DNS
servers issuing lame responses. Recently, Paul Vixie
enabled validation code in a beta release of BIND. There
was much complaint and the code deactivated.
I question the value of using DNS-SEC to aid IPSEC.
Coupled with the issues I noted, and more I have not noted,
there is an open validation issue and little, if any,
operational experience. I am not convinced DNS-SEC will
offer much value for many years.
-dpg
Follow-Ups:
References: