[dns-operations] we may finally have a dnssec use case ; -) Re: Odd behaviour of DNS queries in PRC (facebook, youtube & twitter)
Phil Pennock
dnsop+phil at spodhuis.org
Thu Mar 25 22:30:08 UTC 2010
On 2010-03-25 at 20:54 +0100, bert hubert wrote:
> Given the nature of why this is happening, this is one of the first usecases
> I see for DNSSEC that actually is worth the administrative overhead.
Scenario:
* I wish to censor the net
* I can force people to accept my route advertisements, within a given
geographic area
* I can read a zonefile, so I know which 13 IP addresses I need to
advertise and have preferred
I publish a root zone.
(a) I leave out DNSSEC; resolution works as it does now, all the DNSSEC
won't save anyone because it's never activated
(b) I wish to also deal with people who have DNSSEC mandated on, so I
publish my own DNSSEC keys, which sign the "right" keys for some
zones and my own, second, keys for some others. Those others then
sign my own replacement data. I can handle any queries needed; I
farm out the NS servers for the faked domains across a pool of
special auth servers which can query the correct data (where I'm
passing through) and supplying replacement RRSIGs with my own keys.
If I can control all the roots, then DNSSEC buys you just a false sense
of security.
If a client is using a DNS recursor which learns which servers have the
lowest latency and I can provide those, reliably, I only need to control
a sub-set. Especially if the routes are stable.
The only people protected here by DNSSEC are some who are normally just
outside my sphere of influence, who have sufficiently unstable routing
that I can't say they'll deterministically use my servers.
That's ... perhaps a non-trivial percentage of the population who you're
protecting, but not a huge win either.
Control the roots, control the data.
-Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20100325/1b6fb68f/attachment.sig>
More information about the dns-operations
mailing list