[dns-operations] we may finally have a dnssec use case ; -) Re: Odd behaviour of DNS queries in PRC (facebook, youtube & twitter)

Joe Abley jabley at hopcount.ca
Thu Mar 25 23:06:55 UTC 2010 

On 2010-03-25, at 15:30, Phil Pennock wrote:

> On 2010-03-25 at 20:54 +0100, bert hubert wrote:
>> Given the nature of why this is happening, this is one of the first usecases
>> I see for DNSSEC that actually is worth the administrative overhead. 
> 
> Scenario:
> * I wish to censor the net
> * I can force people to accept my route advertisements, within a given
>  geographic area
> * I can read a zonefile, so I know which 13 IP addresses I need to
>  advertise and have preferred
> 
> I publish a root zone.
> (a) I leave out DNSSEC; resolution works as it does now, all the DNSSEC
>    won't save anyone because it's never activated

The presupposition there is that there was no established population of validators (which you know, but I'm re-stating).

> (b) I wish to also deal with people who have DNSSEC mandated on, so I
>    publish my own DNSSEC keys, which sign the "right" keys for some
>    zones and my own, second, keys for some others.  Those others then
>    sign my own replacement data.  I can handle any queries needed; I
>    farm out the NS servers for the faked domains across a pool of
>    special auth servers which can query the correct data (where I'm
>    passing through) and supplying replacement RRSIGs with my own keys.

As soon as you replace RRSIGs, validation will fail. For any validator to accept your RRSIGs, you need to be able to control the validators' locally-configured trust anchors.

> If I can control all the roots, then DNSSEC buys you just a false sense
> of security.

If you can control all the roots, then DNSSEC provides a mechanism whereby end users can tell that the data they are receiving is not what was published by the IANA.

> If a client is using a DNS recursor which learns which servers have the
> lowest latency and I can provide those, reliably, I only need to control
> a sub-set.  Especially if the routes are stable.

Possibly. I don't know that this behaviour has ever been well-characterised, experimentally. Common wisdom suggests that server selection is biased towards those servers that seem to respond quickly, but not that distant servers are never queried.

> The only people protected here by DNSSEC are some who are normally just
> outside my sphere of influence, who have sufficiently unstable routing
> that I can't say they'll deterministically use my servers.
> 
> That's ... perhaps a non-trivial percentage of the population who you're
> protecting, but not a huge win either.

I don't think I buy your conclusion, but your reasoning is interesting.

> Control the roots, control the data.

Control the KSK, control the ability to sign the data.


Joe

More information about the dns-operations mailing list