On Wed, Oct 20, 2010 at 9:55 PM, Mark Andrews <marka(_at_)isc(_dot_)org>
wrote:
The DNS is not just name to address translation.
It doesn't really matter what DNS translates, all translations
are equally untrusted.
The architecture of the internet is based on good faith and best effort.
DNS is _no_ different.
What we're fighting about is probably not what exactly DNSSEC is
about, but how we define the meaning of "trusted". A lot of folks
seem to argue based on the assumption "faith" == "trust".
If you want to authenticate your peer, use something like an SSH host
key.
And how do you know you should trust the host key the remote machine
presents?
Use whatever you feel comfortable with. Out-of-band pen&paper.
Leap-of-faith on initial encounter.
What do you do yourself when you meet some person for the first time?
Do you ask them for their passport or legal ID-card (not that it would
make much of a difference)? And what do you do on repeated encounter?
The traditional human concept of "trust" between persons is
a combination of "leap-of-faith on initial encounter" with non-negative
experience and getting accustomed to sensoric input patterns to some
of the other persons's biometrics (which requires memorizing those patterns).
And both, evolution and every day life shows us that collecting memories
about previous encounters can help us to significantly reduce our
susceptibility to impersonation.
Phillip Hallam-Baker wrote:
The pre-DNSSEC application architecture for DNS is now obsolete.
That is a common misunderstanding of DNSSEC.
The difference between DNS and DNSSEC is *only* about the
distribution/delivery of the data, not about the trustwortyness of
the data. The error protection in the original DNS distribution protocol
was only against statistical/accidental errors, not against malicious
targeted attacks. DNSSEC protects the distribution/delivery of the data
from malicious targeted modification, and nothing else.
And even if there existed a trusted naming service, that would still
not allow you to distinguish friend and foe by their hostnames,
because knowing the identity of something does not necessarily
reveal its intentions.
I do not expect that DNSSEC will put phishing to an end, and neither
to I expect DNSSEC to prevent further filesharing lawsuits against
internet users.
We have at this point only developed a technical infrastructure for securing
DNS responses. Developing the application architecture to leverage that
opportunity still lies ahead of us.
But even in the new world of DNSSEC with end-to-end authentication, the
resolver plays a role that requires trust and thus should be chosen and
trusted.
We're back to differing definitions of "trust".
The size of the human monkeysphere is around 150 entities, the number of
nodes on the internet is in the billions. So no matter how hard you try,
99.999% of the internet is going to be remain untrusted to every
internet user (for any humanely meaningful definition of "trusted").
Personally, I think it would be much more sensible to help internet users
to improve the effective trust inside their own monkeysphere, instead
of fighting about how we might reduce the untrusted part of the internet
from 99.999999% to 99.999998%.
-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf