[dns-operations] the mathematics of kaminsky spoofing probability

David Conrad drc at virtualized.org
Fri Aug 8 16:00:55 UTC 2008


On Aug 8, 2008, at 12:50 AM, Shane Kerr wrote:
> You seem to be arguing that having a trust anchor repository will make
> DNSSEC simple and easy.


Um, no. I suspect the only thing that will make DNSSEC "simple and  
easy" is alien technology from Area 51.  Additional tools will make it  
less painful, but it's always going to be complicated and hard.

I'm arguing that a trust anchor repository, with the proper tools,  
will make deployment of useful DNSSEC easier.

> I agree that having a trust anchor repository is
> better than nothing, but still not nearly as nice as having a chain of
> signed delegations from the root.

What do you estimate the chances are that there will be universal  
deployment of DNSSEC such that all zones have chains of signed  
delegations from the root?

I believe this is indicative of a fundamental flaw in the design of  
DNSSEC: a dependence upon the assumption that everyone in a  
distributed hierarchy will play.  I would bet Paul Vixie's life that  
there will _always_ be islands of trust in the DNS hierarchy.

Maybe someday, in the far future, when the root and all the TLDs and  
all the SLDs and all the ThLDs and ... get signed, trust anchor  
repositories can go away.  However, until that time, I figure there  
will need to be some way of fetching, installing, maintaining, and  
removing trust anchors.

> And while simple and easy for any
> given administrator, for the entire Internet it seems like a solution
> firmly planted in the wrong side of the 80/20 rule. :)

Seems to work for X.509.

>> Why not?  If your trust anchor is with a bunch of others in a (set  
>> of)
>> well known place(s) and there are tools that allow for those trust
>> anchors to be downloaded and installed on a periodic basis, I'd think
>> people would make use of your vanity domain trust anchor.
> That is true, yet AFAIK there is no such place, and there are no such
> tools.

And there is no signed root.

IANA will be publishing an Interim Trust Anchor Repository.  As a  
result, I suspect people will create the tools to do something with  
it.  If other folks use the same format for more general trust anchor  
repositories, those tools would likely be applicable.

> And of course a big problem with this is the same as one with DLV: it
> does not follow the existing relationship between the parent and child
> in the DNS.

That's not the big problem with DLV.

Yes, it does not follow the existing relationship between the parent  
and child in the DNS, that's why it's called an island of trust.  If I  
sign my zone and publish my trust anchor to "Bill's Bait and Trust  
Anchors Shop" website in some trusted way and you trust BBTAS to not  
muck with those trust anchors, the DNS hierarchy is irrelevant.

> Getting a file of trust anchors used by resolvers would still require
> the administrators managing it do something, even if it is just
> downloading "dns-trust-anchors-installer.exe" from a web page  
> somewhere
> and running it.

Yes.  And if the root were signed, administrators would have to  
configure the root trust anchor.


More information about the dns-operations mailing list