[dns-operations] the mathematics of kaminsky spoofing probability
drc at virtualized.org
Fri Aug 8 16:00:55 UTC 2008
On Aug 8, 2008, at 12:50 AM, Shane Kerr wrote:
> You seem to be arguing that having a trust anchor repository will make
> DNSSEC simple and easy.
Um, no. I suspect the only thing that will make DNSSEC "simple and
easy" is alien technology from Area 51. Additional tools will make it
less painful, but it's always going to be complicated and hard.
I'm arguing that a trust anchor repository, with the proper tools,
will make deployment of useful DNSSEC easier.
> I agree that having a trust anchor repository is
> better than nothing, but still not nearly as nice as having a chain of
> signed delegations from the root.
What do you estimate the chances are that there will be universal
deployment of DNSSEC such that all zones have chains of signed
delegations from the root?
I believe this is indicative of a fundamental flaw in the design of
DNSSEC: a dependence upon the assumption that everyone in a
distributed hierarchy will play. I would bet Paul Vixie's life that
there will _always_ be islands of trust in the DNS hierarchy.
Maybe someday, in the far future, when the root and all the TLDs and
all the SLDs and all the ThLDs and ... get signed, trust anchor
repositories can go away. However, until that time, I figure there
will need to be some way of fetching, installing, maintaining, and
removing trust anchors.
> And while simple and easy for any
> given administrator, for the entire Internet it seems like a solution
> firmly planted in the wrong side of the 80/20 rule. :)
Seems to work for X.509.
>> Why not? If your trust anchor is with a bunch of others in a (set
>> well known place(s) and there are tools that allow for those trust
>> anchors to be downloaded and installed on a periodic basis, I'd think
>> people would make use of your vanity domain trust anchor.
> That is true, yet AFAIK there is no such place, and there are no such
And there is no signed root.
IANA will be publishing an Interim Trust Anchor Repository. As a
result, I suspect people will create the tools to do something with
it. If other folks use the same format for more general trust anchor
repositories, those tools would likely be applicable.
> And of course a big problem with this is the same as one with DLV: it
> does not follow the existing relationship between the parent and child
> in the DNS.
That's not the big problem with DLV.
Yes, it does not follow the existing relationship between the parent
and child in the DNS, that's why it's called an island of trust. If I
sign my zone and publish my trust anchor to "Bill's Bait and Trust
Anchors Shop" website in some trusted way and you trust BBTAS to not
muck with those trust anchors, the DNS hierarchy is irrelevant.
> Getting a file of trust anchors used by resolvers would still require
> the administrators managing it do something, even if it is just
> downloading "dns-trust-anchors-installer.exe" from a web page
> and running it.
Yes. And if the root were signed, administrators would have to
configure the root trust anchor.
More information about the dns-operations