Educause Security Discussion mailing list archives

Re: DNSSEC Deployment

From: Jason Frisvold <frisvolj () LAFAYETTE EDU>
Date: Mon, 17 May 2010 16:58:50 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/17/2010 04:46 PM, Michael Sinatra wrote:

No, it's actually a known limitation of our current implementations.
It's not much of a stretch to have the stub resolver do the validation
(in which case the stub resolver can present the user or the application
with a much more detailed error message).  One implementation (for
Linux) already does this.  A slightly bigger stretch (in that it would
require some minor standards work, unlike the stub resolver idea above)
is to have the nameserver signal the stub resolver with the reason for
failure.  All of these seem doable within the existing DNSSEC framework.


Stub validation would require additional horsepower to do, though.  It's
not so much to think that a typical workstation could do it, but what
about the myriad of gateway devices out there?  For instance, can a
linksys router handle cryptographic checks within the stub resolver?

During a DNSSEC webinar I attended, I was informed that the stub
resolvers are told, via a bit set in the DNS response, whether or not
the DNSSEC verification was successful.  Ergo, there is no actual
cryptographic check on the part of the stub so it is vulnerable to a
MitM attack.  Obviously moving true cryptographic verification to the
stub would mitigate this, but until then, this is still an issue.

For web browsers, specifically firefox, I was informed that there is
currently an add-on that will do a full verification check and display
the results (somehow) in the browser.  I have yet to look into it, but
it's at least possible.

michael


- --
- ---------------------------
Jason Frisvold
Network Engineer
frisvolj () lafayette edu
- ---------------------------
"What I cannot create, I do not understand"
   - Richard Feynman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvxrgoACgkQO80o6DJ8UvmezACfab6qiCy+VGDUTvwVdfYRyqqv
ucYAn2vU9HAPeIDtTyDGOf32lifm0xfj
=bGxt
-----END PGP SIGNATURE-----

Current thread:

Re: DNSSEC Deployment, (continued)
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment John Kristoff (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
- Re: DNSSEC Deployment John Ladwig (May 17)
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment John Kristoff (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
- Re: DNSSEC Deployment Bruce Curtis (May 17)
- Re: DNSSEC Deployment John Kristoff (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment John Ladwig (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)