North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Multiple DNS implementations vulnerable to cache poisoning
On Jul 9, 2008, at 10:39 AM, <michael.dillon@xxxxxx> <michael.dillon@xxxxxx > wrote:
Pressure your local ICANN officers?Mmph. https://ns.iana.org/dnssec/status.html (it's out of ICANN's hands)
1) The term 'signing the root' means a whole lot more than running dnssec-signzone over zone data. Specifically, the URL I provided shows that IANA is _already_ signing the root (more or less) and has been for over a year -- IANA actually has a _very_ elaborate and secure infrastructure (including multiple FIPS 140-3 hardware security modules, air gaps, physical security, and all sorts of other stuff) for root signing. The fact that root zone data you receive from the root servers is not signed may suggest that there is a bit more that needs to be done and pretty much all of that is NOT something ICANN has direct control over.
2) You are exactly right when you say:
The rest of the job is everyone's problem.
Getting DNSSEC to be more than an academic exercise requires BOTH folks signing zones that form an unbroken chain of trust up to a trust anchor configured in validating name servers AND for the operators of those validating name servers to enable DNSSEC. Most of the thrust to date has been on one half of that requirement. How many ISPs represented here are in a position to turn on DNSSEC validation? How many are even running caches that are capable of doing DNSSEC?
For DNSSEC to actually be useful, I suspect somebody needs to write software that provides the user with some indication other than a timeout that a name validation failed, but that's a separate issue.