On Wed, Nov 22, 2000 at 11:12:59AM +0000, John P . Looney wrote:
> So, Signed DNS would be nice, but not needed. And Paul Kelly is less than
> enamoured with me installing Bind9 on our main DNS server here, and
> enabling DNSSEC on that.
BIND 9 is a resource hog -- that's it's main problem. In my tests with
no DNSSEC or TISG it used 60% more RAM and 8 times more CPU under
equivalent load, compared to BIND 8.
It's also got a confidence issue for me: it's an awful large lump of
brand new code from a group with a poor security record.
> Do you think that DNSSEC is anyway likely to be used by even a fraction
> of companies within say five years ? I know that IPv6 is supposed to have
> opportunistic IPSEC support, so it could be useful. If it's not, and it's
> as likely to get mainstream support as PGP signed email, messing with this
> is prolly just pissing against the wind, really.
DNSSEC is stuck with the public-key crypto. problem -- ensuring
authenticity of public keys. The DNSSEC solution is to have your DNS
parent use their key to sign your key.
So, the IE key would sign the online.ie key, once the IEDR can properly
determine that the key presented to them for signing is indeed the
proper online.ie key. How do they do that? How do they do that anyway
efficiently? The administrative overhead would be crippling. Imagine
trying that for a few million delegations in COM or DE for example!
Then, of course, you're into the problem of establishing trust in the
supposed IE key that signed the online.ie key. The IE key needs to be
signed by the root key. Since the root has no parent, how does one
establish trust in its key? Current proposal is the have the root key
installed with all nameserver software as a defacto trusted-key. Or to
put it another way, the root zone key is a massive single point of
failure. If it were ever to be compromised all bets are off.
The standard solution to prevent that kind of messing is to rollover
keys periodically. How in hell would that work? That'd be sheer chaos.
The only thing worse would be in the event of an unplanned rollover (say
in the case of a compromise). There is no mechanism to systematically
'revoke' a DNSSEC key. Folks would go on trusting a broken key while
others are desperatley scrambling to get the new root key through some
out-of-band trusted source.
DNSSEC without a signed root is of marginal benefit. A signed root isn't
close. ICANN and the root operators are still fighting over money.
They're also (rightly) wary of creating a huge SPOF and being
responsible if anything goes wrong.
ccTLD operators are seriously looking at it though. NL, SE and to a
lesser extent DE are at the stage of technical competance. They reckon
they can make the technology work for a signed zone. They have *no* idea
how to handle the administration of managing their keys and signing
their child zones' keys in the real world. (nl.nl. is a signed mirror of
the real NL zone)
TSIG is out there and in use. It's a shared secret system, instead of
public key. I rolled out TSIG between all the IE nameservers just before
I left the IEDR. It works.
james
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
