[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver
Ed.Lewis at neustar.biz
Fri May 23 12:42:46 UTC 2008
At 13:16 +0200 5/23/08, Michael Monnerie wrote:
>If the answer is from "normal" DNS, the browser could display the URL in
>yellow. If from DNSSEC and valid, it's green. But red when DNSSEC and
With DNSSEC, if an answer does not validate, it isn't returned. The
end state of a query is either an answer or an error condition. An
answer would have to conform with local policy to be returned.
It is possible that you would want to differentiate answers that had
a cryptographic chain of trust back to some trusted configuration
parameter from answers that were provably unsigned. That's the
yellow and green.
But you shouldn't get the red. The browser shouldn't use - or get
any - data that failed validation.
A SERVFAIL return from bad DNSSEC is the same to the browser as
SERVFAIL from a lame delegation, lack of authoritative servers, an
NXDOMAIN or an NO ERROR with 0 answer records. Each returns no data
and stops the browser dead in that thread's track.
>Just like it is for non valid HTTPS Certs right now, at least in
>Firefox. DNS should get similar security awareness.
The difference is that HTTPS Certs is part of the protocol for which
the browser is a client. When there is a certificate processing
failure, the browser will go to the user for an opinion. DNS is a
separate module, it's "internal" bumps (now) are not visible to the
user of a browser.
There's probably a more comprehensive analysis published on this
topic. I know that there's been many years of funding to research
and implement DNSSEC hooks into applications. I've been aware of
incomplete discussions, some prototypes produced, but no major break
Edward Lewis +1-571-434-5468
Never confuse activity with progress. Activity pays more.
More information about the dns-operations