[dns-operations] A Case Against DNSSEC (A Matasano Miniseries)

Joseph S D Yao jsdy at center.osis.gov
Wed Apr 4 21:21:31 UTC 2007

On Wed, Apr 04, 2007 at 12:17:31PM -0700, Steve Gibbard wrote:
> On Tue, 3 Apr 2007, Rodney Joffe wrote:
> >> What is the DNS control plane?  Is it something more than the ability
> >> to do AXFR?  To log in to the nameserver?  SOA/NS queries?
> >> 
> >> How would October 2002 have been different with a DNS control plane?
> >
> > Maybe there's a better phrase. I am defining a control plane as a 
> > point-to-point connection between sources of queries and sources of answers 
> > such that actions taken by any "actual" query source can "actually" by 
> > controlled by the "actual" answer source in such a way that all other query 
> > sources remain unaffected in any way.
> To substitute my own clumsy explanation for Rodney's, it sounds like 
> what's being described here is a separate control plane for name lookups 
> rather than a separate control plane for managing the DNS servers.  This 
> is what his UltraDNS DNS Shield does.

Is the connection really a separate out-of-band physical network?  Or a
VPN from one site to another?  The latter can still be knocked out by a
DDOS, even as it protects from any intrusion.  And, are faked responses
really the primary problem?  Yes, this also allows the name servers
being queried from being knocked out by queries from a disallowed
source, but that just means they are no longer public name servers,
which also means that they can't be the publicly advertised
authoritative names servers for any publicly available domain.

So, what problem does this really solve?  The reliability seems to be
entirely from the querier to the resolver, and after that, it's the same
as it is right now.  Unless a requirement to have a VPN between every
resolver and every authoritative name server comes into being.

Joe Yao
Analex Contractor

More information about the dns-operations mailing list