Re: in-addr.arpa server problems for europe?

[Mark Andrews <marka () isc org>]

In message <01c201caaead$b115eda0$1341c8e0$@nl>, "Mark Scholten" writes:
> > -----Original Message-----
> > From: marka () isc org [mailto:marka () isc org]
> > Sent: Tuesday, February 16, 2010 12:37 AM
> > To: Mark Scholten
> > Cc: 'Tony Finch'; nanog () nanog org
> > Subject: Re: in-addr.arpa server problems for europe?
> >
> >
> > In message <017901caae69$5d9e8770$18db9650$@nl>, "Mark Scholten"
> > writes:
> > > > -----Original Message-----
> > > > From: Tony Finch [mailto:fanf2 () hermes cam ac uk] On Behalf Of Tony
> > > > Finch
> > > > Sent: Monday, February 15, 2010 6:21 PM
> > > > To: Mark Scholten
> > > > Cc: nanog () nanog org
> > > > Subject: RE: in-addr.arpa server problems for europe?
> > > >
> > > > On Mon, 15 Feb 2010, Mark Scholten wrote:
> > > > > I've seen problems that are only there because of DNSSEC, so if
> > there
> > > > is a
> > > > > problem starting with trying to disable DNSSEC could be a good
> > idea.
> > > > As long
> > > > > as not all rootzones are signed I don't see a good reason to use
> > > > DNSSEC at
> > > > > the moment.
> > > >
> > > > You realise that two of them are signed now and the rest will be
> > signed
> > > > by
> > > > 1st July?
> > > >
> > > > Tony.
> > >
> > > Yes, I realise that. I also realise that not all nameserver software
> > can
> > > work as it work with DNSSEC. That is also a problem that has to be
> > solved
> > > and for as far as I know all nameserver software we use support it or
> > will
> > > support it in the future. As long as it is not supported by all
> > nameserver
> > > software you can keep problems.
> >
> > Nameservers that are not DNSSEC aware will not get responses that
> > contain DNSSEC records unless a client explicitly requests a DNSSEC
> > record type or make a * (ANY) request.
> >
> > There is no problem to solve.  Just a lot of misunderstanding.
> >
> > That said the majority of nameservers on the planet are DNSSEC aware
> > and will request the DNSSEC record to be returned.  They will also
> > fall back to plain DNS if middleware blocks the response.
>
> As you've understood I need to read something extra about DNSSEC support.
> The most things I know about DNSSEC are based on my contacts with software
> writers that create nameservers and system administrators maintaining
> multiple nameservers. So if I understand it correctly; if a resolver
> requests DNSSEC information (together with for example www.domain.tld) and 1
> resolver before the AUTH nameserver doesn't have DNSSEC it won't ask/require
> DNSSEC? In that case men in the middle attacks are still possible. Also note
> that a provider might have multiple resolvers with some using/able to
> provide DNSSEC and others without DNSSEC support.
>
> Mark

DNSSEC requires a DNSSEC clear path between the validator and the
authoritative servers.  If there is not a DNSSEC clear path the
answers will be rejected as they cannot be validated.  A man in the
middle can launch a denial of service attack but cannot launch a
spoofing attack.

Most validators, at the moment, are co-located with iterative
resolvers which provide the DNSSEC clear path.  Some applications
are fully DNSSEC aware and do their own validation in which case
there needs to be a DNSSEC clear path to the recursive resolver and
onwards to the authoritative servers.  Other applications are only
AD aware, in which case they trust the recursive resolver and need
channel security between the application and the recursive resolver.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org