[dns-operations] A Case Against DNSSEC (A Matasano Miniseries)

Patrik Fältström patrik at frobbit.se
Tue Apr 3 06:20:22 UTC 2007

On 3 apr 2007, at 06.12, Gadi Evron wrote:

> http://www.matasano.com/log/754/a-case-against-dnssec-a-matasano- 
> miniseries/
> This from the perspective of a security practitioner. I am just
> forwarding, not stating my own opinion.

I do not agree at all with this note. With reasoning like that, it is  
possible to reject all of the security measures we can apply to some  
exchange of data over the Internet.

The reality is that we can not find one solution that fixes all of  
the security issues we can come up with. Instead we need all security  
measures we can invent. Yes, all of them. Because only with multiple  
pieces of the puzzle we can get the environment we all need.


> -----
> The head of the Internet Architecture Board has declared DNSSEC a
> success. The DNSSEC RFCs are standards-tracked. The DNS Extensions  
> Working
> Group is winding down. Are we finally going to have a secure domain  
> name
> system?
> No. I.ll tell you why I don.t think so:
>     *
>       I.ll argue that secure DNS doesn.t solve a real problem.
>     *
>       I.ll argue that it.s so complicated and expensive that nobody  
> will
> ever deploy it.
>     *
>       I.ll argue that it.s actually contrary to the design of the
> Internet.
>     *
>       And, I.ll argue that it.s a huge waste of effort; in fact,  
> that the
> struggle to deploy DNSSEC will do more harm than good.
> Let me get started. First, what makes you think we need a secure  
> domain
> name system?
> Because DNS is insecure! Anybody can spoof a DNS response,  
> convincing my
> browser that my bank.s website is really running on some mafia- 
> controlled
> Linux box in Uzbekistan!
> You.re right. DNS is totally insecure. You can.t trust results  
> coming from
> DNS.
> And that.s a problem!
> Not really. You don.t need to trust the DNS anymore. Real-world
> applications aren.t supposed trust names. At least a few of those
> applications really don.t, and they seem to work OK.
> Want an example? Take my banking website. You can.t spoof it, even  
> if you
> do own up the DNS, because a third party has to cryptographically  
> attest
> to my browser that the server has a valid key. Spoofing is  
> prevented at
> the application layer, not the DNS.
> But not every application does that! We can.t keep moving forward  
> with no
> security in such a core part of the Internet infrastructure.
> I agree, in principle. The world would be a better place if the DNS  
> was
> secure. But in reality, it.s not worth the costs. DNSSEC .- crypto- 
> secured
> DNS .- is so complicated, unstable, and expensive that it.s not  
> worth the
> cost.
> How can you say it.s unstable? Back that argument up with evidence!
> I can.t, which is part of my point. After over 12 years of earnest
> development, there are still no mainstream deployments of DNSSEC.  
> But I
> can read an RFC, compare DNSSEC to other protocols, and predict  
> what the
> operator and user experience is going to be. And it seems like a
> nightmare.
> You know what? I don.t even agree in principle. DNSSEC is a bad thing,
> even if it does work.
> How could that possibly be?
> It violates a fundamental design principle of the Internet.
> Nonsense. DNSSEC was designed and endorsed by several of the  
> architects of
> the Internet. What principle would they be violating?
> The end-to-end argument in system design. It says that you want to  
> keep
> the Internet dumb and the applications smart. But DNSSEC does the
> opposite. It says, .Applications aren.t smart enough to provide  
> security,
> and end-users pay the price. So we.re going to bake security into the
> infrastructure..
> What.s wrong with that? IPSEC says the same thing!
> Look how well that turned out. But IPSEC is at least optional: it.s so
> all-or-nothing that the only place anybody thinks to turn it on is VPN
> links. But DNSSEC isn.t a VPN tool. It.s an anti-phishing
> tool. Everybody.s going to have to deal with it, whether they have  
> better
> or simpler ideas for providing security or not .- whether they even  
> need
> security or not.
> It doesn.t even solve the problem of securing the next wave of
> applications. It can.t, because it doesn.t know what those  
> applications
> look like. But it.s a pretty safe bet that many of them won.t even  
> use the
> DNS.
> Everything on the Internet uses DNS. The head of the IAB says so.
> The head of the IAB didn.t design AOL Instant Messenger, far and  
> away the
> most important messaging application on the Internet. DNS doesn.t  
> tell me
> how to find my friends on AIM; AOL.s servers do. AIM isn.t secure  
> right
> now, but DNSSEC can.t change that. Only the IM developers can. And  
> they
> can do it without DNSSEC.
> The head of the IAB didn.t design peer-to-peer file sharing, far  
> and away
> the biggest consumer of traffic on the Internet. DNS doesn.t tell  
> me how
> to find files on a P2P network: the P2P protocols do. P2P isn.t secure
> right now, but DNSSEC can.t change that. Only the P2P developers  
> can. And
> they can do it without DNSSEC.
> The head of the IAB didn.t design content distribution networks like
> Akamai, which power many of the most important websites on the
> Internet. Vanilla DNS doesn.t tell me what mirror to fetch content off
> of; Akamai.s traffic directors do. I don.t know if Akamai is secure or
> not, but I.m pretty sure DNSSEC isn.t the deciding factor.
> If you think the future of the Internet involves things like overlay
> networks, peer-to-peer distributed systems, or large-scale web
> applications like Google and YouTube, you have to ask yourself:  
> where does
> DNSSEC fit here? These things are happening independently of  
> DNSSEC. They
> have to be: nobody, not even the IETF, thinks DNSSEC is going to go
> mainstream in the next 3 years.
> There.s more to the Internet than the web. Maybe these people know  
> better
> than you do. Some of them have been fighting spam and phishing for  
> over a
> decade. What have you done?
> Probably not as much as they have. I.m a mercenary. A creepy security
> researcher. You probably don.t want to take my word for how to  
> design the
> Internet.
> But you probably don.t want to take their word for it either. There  
> are
> huge financial implications to how the DNS is architected. A lot is at
> stake. And despite the billions of dollars spent every year on  
> security,
> despite the near universal staffing of security teams at every  
> enterprise
> in the Fortune 500, there.s no detectable market demand for DNSSEC.
> DNSSEC gets in the way. It distracts us from real problems that  
> need to
> get solved. It also substitutes a bunch of IETF people for the  
> judgement
> and expertise of the market, which actually has a track record in  
> solving
> security problems. Some of the loudest IETF participants have no
> qualifications other than willingness to spend time on mailing  
> lists and
> at conferences.
> You.re an asshole.
> Indubitably. But convince me .- wait, no, just convince my readers! .-
> that I.m wrong about this. You just heard my case. I.ll repeat it.  
> Then
> I.ll go into detail on each point. Again, I.m saying:
>     *
>       DNSSEC solves a non-problem.
>     *
>       DNSSEC is too complicated to deploy.
>     *
>       DNSSEC breaks the Internet.
>     *
>       DNSSEC wastes time, energy, and money.
> If you want to argue, post a comment. I won.t stop you. If you kick my
> ass, I.ll put it on the front page. But right now, I think you.re the
> opposite of right.
> Silence
> Hello? You there?
> Silence
> Oh well. I.d better get writing.
> -----
> 	Gadi.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list