[dns-operations] summary of recent vulnerabilities in DNS security.

David Conrad drc at virtualized.org
Sun Oct 20 23:52:34 UTC 2013


On Oct 20, 2013, at 2:16 PM, Vernon Schryver <vjs at rhyolite.com> wrote:
> Should the people working on DNS implementations prioritize making
> their DNSSEC code more robust and easier to use above or below
> addressing your issues?

I'd say "below".

Resolver operators (hopefully) want to protect their caches.  DNSSEC will do that, but only if people are signing their zones. There are lots of external parties (e.g., registries, registrars, software developers, resolver operators, etc) to get DNSSEC deployed and there remains very little incentive for anyone to sign their zones, regardless of how robust and easy it might be made.

The alternative would be to disregard current and future cache poisoning attacks.  Pragmatically speaking, I personally think it highly questionable to ignore cache poisoning vulnerabilities because something which isn't yet deployed to 10% of the Internet will fix it.

This would be a bit like saying "don't deploy RRL because BCP38 is the correct answer to the problem".

> Your work would be valuable if it helped pressure people to get busy on DNSSEC.  

Seems to me the work they have done is valuable, regardless of DNSSEC.

Regards,
-drc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131020/d0af157d/attachment.sig>


More information about the dns-operations mailing list