[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver

Wes Hardaker wes at hardakers.net
Tue May 27 13:52:59 UTC 2008

>>>>> On Mon, 26 May 2008 21:07:31 -0700, David Conrad <drc at virtualized.org> said:

DC> The point I'm trying to make is that all by and large, all we've doing  
DC> is adding perceived cost to DNS operations with little (if any)  
DC> perceived benefit or reduced risk.

An interesting thing we found when writing the DNSSEC-Tools' patch to
integrate a validating resolver into firefox: Firefox right now has
really fuzzy language when you hit a domain it failed to lookup.
Specifically, the four bullets it shows the user are:

   * Did you make a mistake when typing the domain?
     (e.g. "ww.mozilla.org" instead of "www.mozilla.org")

   * Are you certain this domain address exists?  Its registration may
     have expired.

   * Are you unable to browse other sites?  Check your network
     connection and DNS server settings.

   * Is your computer or network protected by a firewall or proxy?
     Incorrect settings can interfere with Web browsing.

Specifically, look at the last two.  They are fuzzy because the
application has no way of knowing exactly what the problem was.  (and
there is a big "try again" button because trying again may actually work
if it was a network issue).

When we added the patch, we actually changed that error message so that
*if* we got a validated negative answer we were suddenly sure that the
domain definitely didn't exist.  Proof of non-existence in this case is
actually a huge benefit to the average user.  We changed the error
screen to be much less wishy-washy since we now know the domain they
typed does not exist and we ruled out half of the problems!

   * Did you make a mistake when typing the domain?
     (e.g. "ww.mozilla.org" instead of "www.mozilla.org")

   * This domain address does not exist.  Are you sure it is supposed
     to?  Maybe it used to but it no longer does?

We removed the last two bullets entirely and stated authoritatively that
the domain doesn't exist (cause we proved it!)

"In the bathtub of history the truth is harder to hold than the soap,
 and much more difficult to find."  -- Terry Pratchett

More information about the dns-operations mailing list