Dan,
On Jul 24, 2008, at 3:06 PM, Dan McGarry wrote:
Admittedly, I'm no DNS expert, but my understanding is that there are
still problems with the current DNSSEC implementation.
To clarify a bit, DNSSEC as a protocol has (mostly) stabilized and
there are implementations of that protocol that work today.
I worry in particular about the human factors in DNSSEC:
Yes, human factors are an issue, but...
determining
identity remotely leaves a number of 'social engineering' options open
to attackers; user ignorance concerning certificates and signing
authorities reduces their value;
Both of these aren't really relevant. If the root is signed, there
will be one trust anchor that would need to be configured in caching
servers. If the root isn't signed, IANA will be maintaining a
repository of TLD trust anchors that will have to be configured.
Those trust anchors will be provided to IANA with the same
verification IANA implements for TLD changes, so the assurance level
should be the same.
Just to be clear, DNSSEC trust anchors are a bit different than X.509
(SSL) certificates and there aren't CAs in the traditional sense. Zone
managers can use openly available tools (e.g., dnssec-signzone, see http://www.isc.org/sw/bind/arm94/man.dnssec-signzone.html)
. You don't have to buy the certs.
increased cost of entry for small-scale operators
Yes. More explicitly, there will be additional operational
requirements -- you, as a caching server operator, will have to keep
up with trust anchor key rollovers. If you are a zone administrator,
you'll have to sign your zones and resign them when they expire. If
you don't update the trust anchor when they are rolled over (which
will probably be happening every 6 months or so), responses from the
TLD will fail to validate (and the end users using that caching server
will get an answer that looks exactly like a DNS timeout). If you
don't resign your zones and they expire, no one (who has turned DNSSEC
on in their caching server) will be able to resolve any names in your
zone.
especially in developing countries with no access to credit
cards or other online payment methods.
I don't believe this is the case (see above). I mean, you can buy
tools to help you sign your zones, but there are open source tools
(e.g., http://www.dnssec-tools.org/). IANA will be releasing their
tools as open source Real Soon Now too.
Can someone with more detailed knowledge than I have comment on these
issues, please?
Hope this helps...
Regards,
-drc
