In Which I Amuse And Flatter Myself In An Imagined Conversation About DNSSEC With The President Of Zytrax

Thomas Ptacek | August 21st, 2007 | Filed Under: Bitching About Protocols

.

I’m Ron Aitchison, and you’re wrong about about DNSSEC.

Thanks for sharing. But what makes you so sure?

.

Because I’m “the President of Zytrax”.

Do they have SSL in Zytrax?

.

You “have to get to the right place, the right IP address” for SSL to work; insecure DNS undercuts SSL.

No, it doesn’t. SSL doesn’t depend on DNS for security. That would have been lunacy: DNS is insecure. So instead, your browser shipped with Verisign’s key. You can’t spoof a certificate because you can’t break RSA.

.

But I can make my own certificates “in the real name of respectedfinancialinstitution.com but sign it myself using a plausible looking name”, and you’ll just ignore the error. After all, Google’s SSL certs never work.

DNSSEC has exactly the same problem. Both DNSSEC and SSL provide the same signal: “the authenticity of this server cannot be verified”. Just because the signal comes from DNS, doesn’t make it any easier for Firefox to render it.

Oh, what’s that you say? DNSSEC solves the problem? Oh, that’s right: when DNSSEC signatures don’t validate, domain names don’t resolve! I get it. The major advance that DNSSEC provides is removing the “continue” button from the SSL certificate warning dialog in my browser.

A modest proposal: can we just disable that button, and forget about DNSSEC? I don’t know who’s going to explain it to the users, though. One-two-three not it!

Oh, sorry. You meant, “I can get a legitimate, Verisign-signed certificate with an authentic-sounding name, and fool users with the name alone”. Allow me to retort: “goto DNSSEC has exactly the same problem”.

.

It is “stunningly naive” to assume sites without SSL are unimportant. I can plant stories in the New York Times! With “grainy, on-the-spot, sense-of-realism” footage, and cause mass panic!

Wow. That is a cool story. Let me see if I can outdo you. I’m cheating, though: compared to yours, my story is plausible.

First, construct a time machine, and send the Internet back 93 years.

A young Gavrilo Princip, enraged at Austro-Hungarian hegemony over Serbia, is just about to let off some steam with a scathing DailyKos post. But just as he pushes the “Submit” button, a DNSSEC RR signature expires, and Gavrilo gets a “host not found” error. Enraged, he storms from his house to a deli, where he comes upon Archduke Franz Ferdinand and puts a bullet through his jugular, goading Austria to issue a series of untenable demands to Serbia. Entangling alliances and the DNSSEC-prompted delivery failures of conciliatory diplomatic emails drag a whole continent into a bloody, pointless war of attrition.

So you see, for me, no matter what the cost, avoiding DNSSEC is vital to the future integrity of the Internet.

.

Yes, “One of the underlying principles of security is that more code = more errors and security holes.” But no it isn’t. “Bugs are removed and the world moves forward.”

It’s either “one of the underlying principles”, or it isn’t. Google: “hand waving”.

.

In fact, DNSSEC will be “be relatively more bug-free” than SSL, because DNSSEC servers can use OpenSSL’s libraries.

Now Google “asymptote”.

.

DNSSEC servers “would do a trivial amount more work”, and are only “marginally more vulnerable to DoS attacks”.

Now Google “chargen Case Against DNSSEC”. Then hit control-F, search for “let’s not even start talking about the guys who run COM”. I didn’t make that up. I also didn’t make up the proposal to turn DNS zones into Unix password files, or the proposal to construct fake covering RR sets to foil zone transfers.

Shenanigans. Read the backlogs of namedroppers, the deployment list, or the dnsops list. Performance is an issue.

.

When DNSSEC is “end-to-end”, which it must be, all the heavy lifting will be done by end-user machines.

I propose a new drinking game: “imagine that you could wave a magic wand and update the bare metal software of every mainstream machine on the Internet, and then come up with something more valuable to do with that power than DNSSEC. Whoever comes closest to the floor value of DNSSEC, without going through it, wins.”

My entry: every host on the Internet gets a royalty-free copy of Univers, in all its normal and oblique widths. Also we eliminate Comic Sans. In fact, just get rid of Comic Sans. Still more valuable than DNSSEC!

.

Yes, to make end-to-end DNSSEC work, “the current stub-resolvers installed on most of the worlds computers would need to be replaced”.

Why, that’s no harder than spontaneously converting the whole world to IPv6!

.

“By the way, Verner was convinced”.

They have medication for that.

---

[PS]

When you deride the Google ops teams by saying they can’t keep their SSL certificates up-to-date, I’ll respectfully oblige you to cite sources, or again call “shenanigans!” on you.