> On Mar 13, 2015, at 7:59 PM, Paul Vixie <p...@redbarn.org> wrote:
> > Nicholas Weaver Saturday, March 14, 2015 5:07 AM >> >>> ... >>> >>> Overall, unless you are validating on the end host rather than the >>> recursive resolver, DNSSEC does a lot of harm from misconfiguration-DOS, >>> but almost no good. >> > several of us jumped for joy in 2008 when kaminsky showed rdns poisoning to > be a trivial exercise, because it finally provided justification for what was > at that time 12 years of apparently-wasted effort on DNSSEC. But it didn't justify DNSSEC, even at the time. Between actually adding in a bit more entropy in the request through 0x20 and port randomization, and more importantly cleaning up the glue policy for recursive resolvers (which Unbound did), you close the door on off-path attackers: both making races harder AND eliminating the "race until win" property. In fact, several have viewed the glue policy cleanup which gets to the root cause of the Kaminski problem as detrimental specifically because of the desire to force DNSSEC adoption. > so we'll keep pushing the crap system we have, uphill all the way, noone > loving it, and almost everyone in fact hating it. we've now spent more > calendar- and person-years on DNSSEC than was spent on the entire IPv4 > protocol suite (including DNS itself) as of 1996 when the DNSSEC effort > began. ugly, ugly, ugly. At which point is it sunk cost fallacy? "DNS is insecure, live with it" may be the best answer. Why keep throwing good effort after bad? It certainly is a hell of a lot better than the DOS attack that is recursive resolver validation which provides almost no meaningful security gain. If I was Comcast, after the HBO DNSSEC mess-up, on top of previous mess-ups where Comcast inevitably gets the blame, I'd be really really tempted to turn OFF DNSSEC validation. It has failed. -- Nicholas Weaver it is a tale, told by an idiot, nwea...@icsi.berkeley.edu full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
