[Cialug] SOT: DNSSEC and what it means to the average joe

Zachary Kotlarek zach at kotlarek.com
Thu Jan 28 22:58:34 CST 2010 

On Jan 28, 2010, at 9:25 PM, Todd Walton wrote:

> In a nutshell, what are these fundamental problems?  And what would you propose as a fix?



Well there's the big problems that DNSSEC tries to solve, like spoofing/cache poisoning/etc. I agree those are things that need fixing, and DNSSEC works toward that end.

But then there's transactional privacy. There's no reason everyone along my transmission path needs to know what hostnames I'm resolving. We're adding encryption to DNS, but not bothering to add transactional privacy?!?!

The are also less issues like DoS and replay attacks, that DNSSEC does nothing to address. Nor can it be easily extended to address them in the future.

And then there's the hack-job way that DNSSEC fixes thing, that introduces all new problems, like weak encryption, a public list of all hosts/subdomains in a domain, record expiration, more round-trip packets, etc.

As for the fixes:

You could encrypt transactions on-the-fly instead of pre-computing signatures. While that does increase the computational load it also adds transactional privacy, removes the possibility of replay attacks, removes the need to publish your entire list of hosts/subdomains, removes the need to expire records, and potentially reduces the number of round-trips needed to complete a DNS transaction.

Add to that a better encryption algorithm so you can still get high-quality encryption with the shorter keys necessary for DNS-like transactions, and you'd help future-proof the protocol against advances in computational speed.

Those two changes would address 2/3 of my concerns, AND provide all the security of DNSSEC.

And that's just off the top of my head. Presumably with the years and millions of dollars we've put into DNSSEC it would be possible to address the other issues as well.

	Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
Url : http://cialug.org/pipermail/cialug/attachments/20100128/f55cd3b2/attachment.bin

More information about the Cialug mailing list