[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DS and Opt-in - a proposal

To: bert hubert <ahu@ds9a.nl>
Subject: Re: DS and Opt-in - a proposal
From: Greg Hudson <ghudson@mit.edu>
Date: 30 Dec 2001 00:57:50 -0500
Cc: namedroppers@ops.ietf.org
In-reply-to: <20011229084531.A12666@outpost.ds9a.nl>
References: <E16HYtK-000IR8-00@rip.psg.com><20011227101446.284405ec.olaf@ripe.net><20011228075044.B22180@outpost.ds9a.nl><1009549526.18055.18.camel@egyptian-gods.mit.edu> <20011229084531.A12666@outpost.ds9a.nl>

On Sat, 2001-12-29 at 02:45, bert hubert wrote:
> > In the Unix world, at least, the applications shouldn't have to get
> > involved, just the recursive resolver (named, traditionally) and to some
> > extent the stub resolver in libc.  The application may be interested in
> 
> You must live in a parallel universe from mine. The application developer
> has needs. If DNSSEC is unable to meet, or worse, not interested in those
> needs, s/he will ignore it. It is not a unix question.

What needs?

Your initial message said "DNSSEC is going nowhere if they [browsers]
aren't going to use it!"  I was arguing that DNSSEC is useful even if
browsers stay the same as the are, at least in the Unix world.  If:

  * DNSSEC is deployed at the root,
  * the recursive resolver is DNSSEC-aware and knows the root's key,
  * com, amazon.com, and www.amazon.com are signed, and
  * the path from the stub resolver to the recursive resolver isn't easy
    to attack (because they're on the same machine, the path is behind a
    firewall which the attacker can't get behind, or the path is
    protected by TSIG)

then it becomes prohibitively difficult to spoof the address of
www.amazon.com, even if the browser is completely ignorant of DNSSEC. 
That's a win over the current situation, where it is relatively easy to
spoof that address (especially if you can watch the query, but in many
cases even if you can't).

> There is no difference. Right now DNSSEC is purely academic with some
> laboratory experiments. Some fairy may come along and suddenly make all user
> applications DNSSEC aware, but don't count on it. It's not that you write
> the RFC and suddenly people start implementing it.

The only reason I can think of why most user applications would need to
be DNSSEC-aware is to convey to the user whether a domain is signed or
not.  Since most users don't understand what that means, I don't think
that's the most important part of DNSSEC.

> Just saying 'it is transparent from an applications' point of view' does not
> cut it. 

Why not?

> Interesting to note is that I'm told that IE has its own resolver, separate
> from the regular windows one.

Its own stub resolver or its own recursive resolver?  If the latter
(which I somewhat doubt; it wouldn't work so well with firewalls), then
like any other recursive resolver, that would need to implement DNSSEC
in order to benefit.

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Follow-Ups:
- Re: DS and Opt-in - a proposal
  - From: Paul Vixie <paul@vix.com>

References:
- DS and Opt-in - a proposal
  - From: Olafur Gudmundsson <ogud@ogud.com>, Randy Bush <randy@psg.com>
- Re: DS and Opt-in - a proposal
  - From: "Olaf M. Kolkman" <olaf@ripe.net>
- Re: DS and Opt-in - a proposal
  - From: bert hubert <ahu@ds9a.nl>
- Re: DS and Opt-in - a proposal
  - From: Greg Hudson <ghudson@mit.edu>
- Re: DS and Opt-in - a proposal
  - From: bert hubert <ahu@ds9a.nl>

Prev by Date: Re: DS and Opt-in - a proposal
Next by Date: Re: DS and Opt-in - a proposal
Previous by thread: Re: DS and Opt-in - a proposal
Next by thread: Re: DS and Opt-in - a proposal
Index(es):
- Date
- Thread