[dns-operations] summary of recent vulnerabilities in DNS security.

Daniel Kalchev daniel at digsys.bg
Tue Oct 29 10:38:42 UTC 2013


On 25.10.13 15:20, Stephane Bortzmeyer wrote:
> On Tue, Oct 22, 2013 at 11:59:04PM +0000,
>   Vernon Schryver <vjs at rhyolite.com> wrote
>   a message of 50 lines which said:
>
>> Why would there be extra support calls?  Wrong keys are no worse
>> than wrong delegations
> Of course, they are worse. In the vast majority of cases, lame
> delegations (or other mistakes) do not prevent resolution (as long as
> one name server works). A wrong key can completely prevent resolution,
> leading to a loss of service. The DNS is extremely robust, you have to
> try very hard to break it. With DNSSEC, it's the opposite, you have to
> be very careful for it to work.

DNS is "very robust" only if you accept "whatever" as the answer.

This is very similar to the claim "you can create an very fast 
(whatever) algorithm, as long as you do not require the right answer".

Thing is DNSSEC does improve the quality of DNS, by also requiring more 
discipline and attention, in addition to the obvious cryptographic 
verification of responses. More discipline and attention always helps.

It is only natural, that there will be always opposition to DNSSEC, as 
there will be always lazy "admins" whose traditional excuse it "it is 
someone else's fault".

Daniel



More information about the dns-operations mailing list