[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver

[Edward Lewis]

At 13:16 +0200 5/23/08, Michael Monnerie wrote:

>If the answer is from "normal" DNS, the browser could display the URL in
>yellow. If from DNSSEC and valid, it's green. But red when DNSSEC and
>not valid.

With DNSSEC, if an answer does not validate, it isn't returned.  The 
end state of a query is either an answer or an error condition.  An 
answer would have to conform with local policy to be returned.

It is possible that you would want to differentiate answers that had 
a cryptographic chain of trust back to some trusted configuration 
parameter from answers that were provably unsigned.  That's the 
yellow and green.

But you shouldn't get the red.  The browser shouldn't use - or get 
any - data that failed validation.

A SERVFAIL return from bad DNSSEC is the same to the browser as 
SERVFAIL from a lame delegation, lack of authoritative servers, an 
NXDOMAIN or an NO ERROR with 0 answer records.  Each returns no data 
and stops the browser dead in that thread's track.

>Just like it is for non valid HTTPS Certs right now, at least in
>Firefox. DNS should get similar security awareness.

The difference is that HTTPS Certs is part of the protocol for which 
the browser is a client.  When there is a certificate processing 
failure, the browser will go to the user for an opinion.  DNS is a 
separate module, it's "internal" bumps (now) are not visible to the 
user of a browser.

There's probably a more comprehensive analysis published on this 
topic.  I know that there's been many years of funding to research 
and implement DNSSEC hooks into applications.  I've been aware of 
incomplete discussions, some prototypes produced, but no major break 
throughs.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Never confuse activity with progress.  Activity pays more.