JFC Morfin jefsey at jefsey.com
Tue Sep 2 09:13:04 EDT 2008

Dear European @larges,
During the past days we had a few exchanges over the DNSSEC issue as 
seen from an @large Internet lead user point of view and what should 
then be reported to the BoD.

I do not think this ccNSO document is perfect for us, but it could be 
a DNSSEC oriented good basis for an @large debate as it is not that 
far from our preoccupations. 

An @large debate should first :

1. understand the problem from a user point of view, i.e.

     (1) get a complete picture of the DNS vulnerability as being 
evaluated today, and the areas of increasing risk.

     (2) to be sure the IP address obtained from a DNS resolution is correct.

     This can be done in three manners :

      - in making sure that the data we receive are the authoritative data
      - in making sure that the data we receive come from the authority
      - in making sure no one can tamper with them.

     There is no 100% secure solution today, mostly because the DNS 
as a system was not designed to be attacked, and to be attacked by 
computers having the processing capacity we have today and we will 
have in the future.

     (3) to know what to do if the IP address is not declared secure. 
So far there is no work carried in that direction.

2. evaluate the advantages and the limits of each manner and decide 
if the principles of their constraints are acceptable from a usage 
point of view. The most difficult issue in this kind of accuracy 
computation is the considered basis. What may lead to a very great 
technical local accuracy may also lead to a very great practical 
global inaccuracy. Technicians are interested in the best technical 
local accuracy. This is the case with DNSSEC. Politicians are 
interested in the best precision control (signing the root can give 
them that). Users are interested in the best practical global 
accuracy (practical including their own practice of the proposed solution).

3. Today there are three main propositions.

- IETF DNSSEC which signs the data and is extremely complex. The DNS 
and the world becomes centralized by the IANA
- DJB's DNSCurve which signs the nameserver access and which is very 
simple. The DNS is much more secure.
- Internet Plus france at large emerging proposition which includes the 
suggestion to organise one's DNS system around one's own local root 
obtained from one's trusted referential system. There is no other 
change than a full possible support of the virtual root, quicker 
service, better adequation to Web.2.0 behavior.

4. Each of them may need refining.

- Neither IETF and DJB's proposition document how users/applications 
should react to a non-positive. Internet Plus has not this problem 
since it considers an "as-is Internet".
- There is no technical objection to use two solutions or even the 
three solutions at the same time.
- DNSSEC is a traffic amplifier, depend on two unique parameters 
(root hierarchy and root time), has single point of global failure 
and (even with NSEC3 added cost to the attacker) permits to obtain an 
AXFR of every zone.
- Impact of IPv6 and IDNA has not been tested.

5. There should be some ALAC liaison with SSAC, ccTLDs (ccNSO only 
represent a fragment of them), GNSO constituencies over the general 
DNS vulnerability 


More information about the EURO-Discuss mailing list