[dns-operations] Kaminsky: Protect IP Act Would Break DNS

Olaf Kolkman olaf at NLnetLabs.nl
Mon Jul 18 15:02:41 UTC 2011

On Jul 17, 2011, at 2:08 PM, Joe Greco wrote:

>> [Authoritative DNS servers operator hat on.]
>> On Sat, Jul 16, 2011 at 07:29:24AM -0500,
>> Joe Greco <jgreco at ns.sol.net> wrote 
>> a message of 74 lines which said:
>>> Also, in the past decade, what was once considered a heavy duty
>>> server is now available in the form factor of my cell phone.  The
>>> resources to do resolution locally exist.
>> The hardware resources. For the software, there are still a few
>> improvments to make. For instance, to have a local resolver on your
>> Ubuntu box, you need to:
>> * install the server ('aptitude install unbound')
>> * edit the DHCP config so ::1 is put before the DHCP-learned servers
>> * work around the brokenness of middleboxes
>> The first two point are not a big deal for a dns-operations subscriber
>> but still too complicated for the average user. 
> That's probably not the most likely point at which to tackle the
> issue, due to choices made years ago by Microsoft, etc.  Since your
> average consumer doesn't use Ubuntu, you might as well discuss the
> difficulty of setting up a local resolver on a Sun workstation.

First a shameless plug:

> Let's talk real world.  

Note that the shameless plug was above that statement.

> Let's talk your next door neighbor's network.  That's a Windows XP box, a Mac, some wifi, and random other devices
> on a DHCP network hanging off a D-Link router.  The obvious place for
> this sort of thing to start out is at the D-Link router; it offers a
> single point at which a resolver can be installed for this "site" with
> minimal hassle, and a bonus that the configuration of the rest of the
> network is automagic.

The CPE would be a good place, although I believe that in the end the DNSSEC validation needs to be very close to the application. Preferably on the same device.



Olaf M. Kolkman                        NLnet Labs


More information about the dns-operations mailing list