[dns-operations] summary of recent vulnerabilities in DNS security.

Colm MacCárthaigh colm at stdlib.net
Mon Oct 21 02:06:37 UTC 2013


On Sun, Oct 20, 2013 at 6:33 PM, Vernon Schryver <vjs at rhyolite.com> wrote:
>> From: Haya Shulman <haya.shulman at gmail.com>
>
>> I was under pressure to catch a flight when I responded and forgot DNSSEC;
>> it is as dear to me as it is to you :-)
>
> I'm sorry, but I think the mention of DNSSEC in your paper exists only
> because others forced it.

Is it really necessary to make an accusation like this? Haya's
research seems very detailed and uncovers some vulnerabilities that
escaped many of us over the years. Haya's clearly aware of DNSSEC and
it's been called out as a mitigation in every one of the papers I've
read. You write as if Haya has an agenda to undermine DNSSEC, but all
I see is unbiased factual statements in the papers.

It's a complicated story to tell and it doesn't make for clear
straightforward advice; for the forseeable future deploying DNSSEC on
the auth side makes you more vulnerable, as there are still more
non-validating resolvers than there are validating ones. But then
complete deployment of DNSSEC on the resolver side would make
everything better again. It's hard to ethically advise someone that
they should stick their neck out for deferred benefit of everyone
else.

-- 
Colm



More information about the dns-operations mailing list