[dns-operations] Kaminsky: Protect IP Act Would Break DNS

[David Conrad]

Roland,

On Jul 16, 2011, at 3:42 AM, Dobbins, Roland wrote:
> I don't think that politicians wish to exert control over Internet behaviors because they understand that aggregated recursion points in the DNS are somewhat helpful in this regard.  I think they wish to exert control over Internet behaviors irrespective of technical/architectural considerations, and that if not DNS, the injection of more-specific prefixes in the routing table, mandated proxies, et. al. will serve their ends just as well.

Politicians (et al.) look for knobs to facilitate control. The DNS is such a knob. It is not the only knob.  It is, however, an easier one to explain in sound bites than hijacking the routing system ("Our forces of goodness have eliminated ILLICITACTIVITY.ORG").

> With regards to distributed recursion, the argument could be made that the great increase the number of clients which authoritative servers must deal with on a regular basis would not necessarily be a welcome development,

Given the statelessness of authoritative DNS, I'm not sure I see how an increase in the diversity of clients would have a noticeable impact on authoritative servers.  If recursion were to be pushed to the edge, the absolute quantity of queries would likely increase (unless site-wide forwarders were deployed) however authoritative servers must already be over-provisioned to deal with DoS, so I'm unclear as to what sort of effect this would have.

> and that this model would add more complexity to clients which will complicate support and perhaps lend itself to exploitation by attackers.

Resolvers are indeed complicated.  More so with DNSSEC. However, I suspect browsers are much more complicated, yet they appear to be the UI of choice these days, even for phones. I'd further argue that the best/most secure place to do DNSSEC validation is at the edge.

Regards,
-drc