[dns-operations] the mathematics of kaminsky spoofing probability

Shane Kerr shane at ca.afilias.info
Fri Aug 8 07:50:04 UTC 2008


You seem to be arguing that having a trust anchor repository will make
DNSSEC simple and easy. I agree that having a trust anchor repository is
better than nothing, but still not nearly as nice as having a chain of
signed delegations from the root. And while simple and easy for any
given administrator, for the entire Internet it seems like a solution
firmly planted in the wrong side of the 80/20 rule. :)

Some further comments inline...

On Thu, 2008-08-07 at 15:47 -0700, David Conrad wrote:
> On Aug 6, 2008, at 1:51 AM, Shane Kerr wrote:
> > I assure you nobody is going to put the keys for my vanity domain into
> > their list of trust anchors.
> Why not?  If your trust anchor is with a bunch of others in a (set of)  
> well known place(s) and there are tools that allow for those trust  
> anchors to be downloaded and installed on a periodic basis, I'd think  
> people would make use of your vanity domain trust anchor.

That is true, yet AFAIK there is no such place, and there are no such

And of course a big problem with this is the same as one with DLV: it
does not follow the existing relationship between the parent and child
in the DNS. This relationship can be approximated by someone maintaining
a list of trust anchors by rigorous administrative policies and a few
simple technical checks, but this is only ever an approximation.

> > We are a long way from having very many resolvers use DLV - most don't
> > even support DNSSEC (at least not by default). It's kind of a question
> > as to whether the long, slow process of getting resolvers updated will
> > go faster than the long, slow process of getting zones signed (I  
> > expect
> > we will have zones signed faster, to be honest). :)
> Using an include file full of trust anchors wouldn't (to my knowledge)  
> require getting resolvers updated and wouldn't require the caching  
> server operator to trust/rely upon the DLV operator (whoever it might  
> be)...

Getting a file of trust anchors used by resolvers would still require
the administrators managing it do something, even if it is just
downloading "dns-trust-anchors-installer.exe" from a web page somewhere
and running it. Unless of course the tools were included by the OS
vendors in which case we would see the excellent adoption rates of
people patching for the recent poisoning issue. ;)


More information about the dns-operations mailing list