[EURO-Discuss] ALAC-WG on DNSSEC
JFC Morfin
jefsey at jefsey.com
Tue Sep 2 09:13:04 EDT 2008
Dear European @larges,
During the past days we had a few exchanges over the DNSSEC issue as
seen from an @large Internet lead user point of view and what should
then be reported to the BoD.
I do not think this ccNSO document is perfect for us, but it could be
a DNSSEC oriented good basis for an @large debate as it is not that
far from our preoccupations.
http://ccnso.icann.org/workinggroups/ccnso-iana-wg-dnssec-paper-04feb08.pdf
An @large debate should first :
1. understand the problem from a user point of view, i.e.
(1) get a complete picture of the DNS vulnerability as being
evaluated today, and the areas of increasing risk.
(2) to be sure the IP address obtained from a DNS resolution is correct.
This can be done in three manners :
- in making sure that the data we receive are the authoritative data
- in making sure that the data we receive come from the authority
- in making sure no one can tamper with them.
There is no 100% secure solution today, mostly because the DNS
as a system was not designed to be attacked, and to be attacked by
computers having the processing capacity we have today and we will
have in the future.
(3) to know what to do if the IP address is not declared secure.
So far there is no work carried in that direction.
2. evaluate the advantages and the limits of each manner and decide
if the principles of their constraints are acceptable from a usage
point of view. The most difficult issue in this kind of accuracy
computation is the considered basis. What may lead to a very great
technical local accuracy may also lead to a very great practical
global inaccuracy. Technicians are interested in the best technical
local accuracy. This is the case with DNSSEC. Politicians are
interested in the best precision control (signing the root can give
them that). Users are interested in the best practical global
accuracy (practical including their own practice of the proposed solution).
3. Today there are three main propositions.
- IETF DNSSEC which signs the data and is extremely complex. The DNS
and the world becomes centralized by the IANA
- DJB's DNSCurve which signs the nameserver access and which is very
simple. The DNS is much more secure.
- Internet Plus france at large emerging proposition which includes the
suggestion to organise one's DNS system around one's own local root
obtained from one's trusted referential system. There is no other
change than a full possible support of the virtual root, quicker
service, better adequation to Web.2.0 behavior.
4. Each of them may need refining.
- Neither IETF and DJB's proposition document how users/applications
should react to a non-positive. Internet Plus has not this problem
since it considers an "as-is Internet".
- There is no technical objection to use two solutions or even the
three solutions at the same time.
- DNSSEC is a traffic amplifier, depend on two unique parameters
(root hierarchy and root time), has single point of global failure
and (even with NSEC3 added cost to the attacker) permits to obtain an
AXFR of every zone.
- Impact of IPv6 and IDNA has not been tested.
5. There should be some ALAC liaison with SSAC, ccTLDs (ccNSO only
represent a fragment of them), GNSO constituencies over the general
DNS vulnerability
issues.
jfc
More information about the EURO-Discuss
mailing list