What to do about DNS? [LWN.net]

What to do about DNS?

Posted Apr 12, 2007 7:26 UTC (Thu) by ekj (subscriber, #1524)
Parent article: What to do about DNS?

Even if you are certain you know the right address to use for a particular domain, you are not guaranteed that a connection made to that IP actually gets to your intended destination. In order to ensure that, you must have another layer of encryption such as HTTPS or ssh using verified keys.

Correct. And if you *do* have that -- then the DNSSEC part of the deal is completely pointless.

If I check the server-identity by the servers ssh-key or https-certificate or whatever, then I already know enough to know if I'm talking to the correct or a fake server.

Knowing that DNSSEC is fakeable by the US-govt is just icing. Makes an already stupid idea completely irrelevant.

(Log in to post comments)

What to do about DNS?

Posted Apr 12, 2007 9:44 UTC (Thu) by copsewood (subscriber, #199) [Link]

If I check the server-identity by the servers ssh-key or https-certificate or whatever, then I already know enough to know if I'm talking to the correct or a fake server.

True if you:

check the authenticated domain name is what you think it should be
and know what it should be in the first place
and it doesn't have any Unicode characters in it that are represented in your browser similarly or identically to characters in the domain name already known to you.

This also means you have to trust the certificator's checks of the identity of the owner of the https certificate to trust the identity of the https certificate owner. My understanding of DNSSEC is that it attempts to provide a much more scalable solution, by cryptographically authenticating the domain registration process itself rather than by tacking cryptography onto domain ownership as an afterthought. In other words you get a certificate when you register or renew a DNSSEC domain rather than having to purchase the certificate separately. DNSSEC also presumably makes it possible for different top level domains to enforce different standards and fees concerning the quality of names and the certification and repudiation of these. For example having a .MAIL TLD which requires adoption of a set of standards for management of mailing lists and which manages an associated reputation system, and a .SPAM domain which allows anyone to buy domain names at the cheapest technical cost temporarily using stolen credit cards would make mail filtering a whole lot easier. Having a .PLC domain which checks that registrants are public limited companies would enable someone seeing this as a TLD on a browser to know something about the registrant, as well as knowing that the .PLC operator will have checked the credentials of the subdomain owner before issuing a DNSSEC certificate.

So I think HTTPS and DNSSEC certificates will both be useful but address different and complementary if overlapping needs. Not all certificates are equal, and having the quality of certification present in the TLD part of the name in my view offers a significant improvement.

What to do about DNS?

Posted Apr 12, 2007 19:24 UTC (Thu) by mmarsh (subscriber, #17029) [Link]

These are, to an extent, separate problems. Having good host keys lets you know if someone is trying to spoof you. A spoof through DNS cache poisoning is either a penetration (of sorts) if you don't detect the spoof, or a denial of service if you do. DNSSEC tries to prevent the denial of service scenario by not directing you to bogus sites. Granted, there's still the spoofed traffic problem, but it requires the attacker to be close (in the network) to either the target server or the target client, and potentially requires capturing a lot of packets. This is a much higher bar than injecting a bogus DNS entry.