[dns-operations] we may finally have a dnssec use case ; -) Re: Odd behaviour of DNS queries in PRC (facebook, youtube & twitter)

Phil Pennock dnsop+phil at spodhuis.org
Fri Mar 26 00:49:59 UTC 2010 

On 2010-03-25 at 16:06 -0700, Joe Abley wrote:
> The presupposition there is that there was no established population
> of validators (which you know, but I'm re-stating).

Loosely speaking, for most people, this is true today.

> 
> > (b) I wish to also deal with people who have DNSSEC mandated on, so I
> >    publish my own DNSSEC keys, which sign the "right" keys for some
> >    zones and my own, second, keys for some others.  Those others then
> >    sign my own replacement data.  I can handle any queries needed; I
> >    farm out the NS servers for the faked domains across a pool of
> >    special auth servers which can query the correct data (where I'm
> >    passing through) and supplying replacement RRSIGs with my own keys.
> 
> As soon as you replace RRSIGs, validation will fail. For any validator
> to accept your RRSIGs, you need to be able to control the validators'
> locally-configured trust anchors.

My understanding is that the long-term goal is to not have look-aside
mechanisms and that all trust anchors will be in-tree, starting at the
root.

> If you can control all the roots, then DNSSEC provides a mechanism
> whereby end users can tell that the data they are receiving is not
> what was published by the IANA.

End users mostly don't understand what DNS is.  ISP resolvers might be
maintained in such a way.  I've worked for an ISP, I've talked to others
who do, I know that the better ISPs will be able to set this up.  Many
... will have difficulty.

I'm willing to bet money that a sizeable chunk of those who do deploy
manually configured trust anchors will not prepare for KSK rollover and
will break, hard.

Outside of ISPs, the number of people who understand DNS well enough to
sort out KSK configuration and keeping it up-to-date is ... limited.

(In my more cynical moments, I think this is a good thing, some
low-quality ISPs will go under and the market will reward those who do
things right, but that too quickly leads to a whole different topic, of
whether or not there's realistic competition, etc.)

-Phil

More information about the dns-operations mailing list