> On Mar 13, 2015, at 10:21 AM, Morizot Timothy S <timothy.s.mori...@irs.gov> > wrote: > It’s been steadily increasing for years now and gives me an idea what > percentage of the US public is protected against certain types of attacks > involving our zones. DNSSEC validation is not a panacea, but in a layered > approach toward combating fraud and certain sorts of attacks, it does provide > a particular sort of protection not available through any other means. > Whether or not ISPs sign their authoritative zones matters much less to us > than whether or not they implement DNSSEC validation on their recursive > nameservers. And that’s not a failure at all. By the measure above (which > isn’t perfect, but the best one available) roughly a fifth to a quarter of > the US public, the primary consumers of our zones, exclusively use validating > nameservers. That’s significant. Would I like to see it higher? Sure. But > I’ll take it. >
The problem is validation by the recursive resolver is nearly useless for security, but one heck of an effective DOS attack (NASA, HBO, etc)... Lets look at what real world attacks on DNS are. a: Corrupt the registrar. DNSSEC do any good? Nope. b: Corrupt the traffic in-flight (on-path or in-path). DNSSEC do any good? Only if the attacker is not on the path for the final traffic, but just the DNS request. c: The recursive resolver lies. Why would you trust it to validate? d: The NAT or a device between the recursive resolver and the user lies. Again, validation from the recursive resolver works how? Overall, unless you are validating on the end host rather than the recursive resolver, DNSSEC does a lot of harm from misconfiguration-DOS, but almost no good. -- Nicholas Weaver it is a tale, told by an idiot, nwea...@icsi.berkeley.edu full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
