Educause Security Discussion mailing list archives
Re: DNSSEC Deployment
From: Jason Frisvold <frisvolj () LAFAYETTE EDU>
Date: Mon, 17 May 2010 16:58:50 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/17/2010 04:46 PM, Michael Sinatra wrote:
No, it's actually a known limitation of our current implementations. It's not much of a stretch to have the stub resolver do the validation (in which case the stub resolver can present the user or the application with a much more detailed error message). One implementation (for Linux) already does this. A slightly bigger stretch (in that it would require some minor standards work, unlike the stub resolver idea above) is to have the nameserver signal the stub resolver with the reason for failure. All of these seem doable within the existing DNSSEC framework.
Stub validation would require additional horsepower to do, though. It's not so much to think that a typical workstation could do it, but what about the myriad of gateway devices out there? For instance, can a linksys router handle cryptographic checks within the stub resolver? During a DNSSEC webinar I attended, I was informed that the stub resolvers are told, via a bit set in the DNS response, whether or not the DNSSEC verification was successful. Ergo, there is no actual cryptographic check on the part of the stub so it is vulnerable to a MitM attack. Obviously moving true cryptographic verification to the stub would mitigate this, but until then, this is still an issue. For web browsers, specifically firefox, I was informed that there is currently an add-on that will do a full verification check and display the results (somehow) in the browser. I have yet to look into it, but it's at least possible.
michael
- -- - --------------------------- Jason Frisvold Network Engineer frisvolj () lafayette edu - --------------------------- "What I cannot create, I do not understand" - Richard Feynman -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvxrgoACgkQO80o6DJ8UvmezACfab6qiCy+VGDUTvwVdfYRyqqv ucYAn2vU9HAPeIDtTyDGOf32lifm0xfj =bGxt -----END PGP SIGNATURE-----
Current thread:
- Re: DNSSEC Deployment, (continued)
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment John Kristoff (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
- Re: DNSSEC Deployment John Ladwig (May 17)
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment Joe St Sauver (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment John Kristoff (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
- Re: DNSSEC Deployment Jason Frisvold (May 17)
- Re: DNSSEC Deployment Bruce Curtis (May 17)
- Re: DNSSEC Deployment John Kristoff (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)
- Re: DNSSEC Deployment John Ladwig (May 17)
- Re: DNSSEC Deployment Michael Sinatra (May 17)