More Internet Stupidity

Via Slashdot, I find a piece in Wired about how the U.S. government is trying to force DNSSEC on the root zone file.  The idea here is that DNSSEC is the only "sure" way to close the DNS cache poisoning problem that Dan Kaminsky publicized earlier this year.


There's one problem.  It doesn't completely close the hole.

The DNSSEC extension is a way for DNS resolvers to use the Public Key Infrastructure (PKI) to validate the signatures on the records they obtain through recursive queries.  As long as you trust the PKI, and the chain of trust leading to the root certificates used to sign the root zone file, then you can have a cryptographically secure guarantee that the DNS answers you're getting really from the people who own the zones from which they originate.

The trouble is that most normal people don't have recursive resolvers running on their computers, and the DNS would melt down if they all did.  All the major operating systems and even embedded devices that use DNS send non-recursive queries to a caching resolver proxy, typically operated by your ISP.  If you've ever used OpenDNS, then you understand why trusting your ISP to cache the DNS for you can be risky.  (And, if you've ever installed your own recursive resolver proxy, then I'm probably preaching to the choir in this post.)

So, how does DNSSEC work in the presence for caching resolver proxies?  It's complicated by the fact that DNSSEC typically uses messages of sizes too large for the original DNS protocol specification, so both the resolver and the server need to do one (and preferably both) of the following: A) support DNS over TCP; and B) support the DNS extensions that allow DNSSEC to work without blowing the UDP size limit.

Another complication is the proliferation of NAT in residential gateways.  Read all about the technical details regard DNSSEC and such devices here.  The basic issue is that these boxes all have forwarding proxies in them, and almost none of them fully support DNSSEC properly because they A) don't implement TCP service, and B) don't handle the extensions properly to support DNSSEC over UDP.

The executive summary here is that signing the root zone will allow your ISP to defend its DNS caches against poisoning attacks, but it's not likely to do you any good until your home router supports DNSSEC as well.  Does yours?  Mine does, as long as the DNS client properly falls back to TCP for messages that are too large for UDP, which is the case for all the major operating systems I know about.  (It doesn't like the UDP extensions.)

Tags:

Next Posts

Previous Posts

Post a comment

Already a Vox member? Sign in

You will be asked to join Vox to post this comment.
j h woodyatt

About Me

j h woodyatt
View my profile
engineer by trade — computer scientist, home brewer, aspiring sf/f writer, pragmatist and dissident loudmouth by avocation.
Messaging:
Send

My Groups

View my groups

Neighborhood

Explore friends, family, friends & family, or entire neighborhood.

View my neighbors

Tags

View my tags

Archives