On 2013-09-06, at 10:16, Theodore Ts'o <tytso(_at_)mit(_dot_)edu> wrote:
On Fri, Sep 06, 2013 at 06:20:48AM -0700, Pete Resnick wrote:
In email,
we insist that you authenticate the recipient's certificate before
we allow you to install it and to start encrypting, and prefer to
send things in the clear until that is done. That's silly and is
based on the assumption that encryption isn't worth doing *until* we
know it's going to be done completely safely.
Speaking of which, Jim Gettys was trying to tell me yesterday that
BIND refuses to do DNSSEC lookups until the endpoint client has
generated a certificate.
All modern DNSSEC-capable resolvers (regardless of whether validation has been
turned on) will set DO=1 in the EDNS0 header and will retrieve signatures in
responses if they are available. BIND9 is not a counter-example. Regardless, an
end host downstream of a resolver that behaves differently (but that is capable
of and desires to perform its own validation) can detect an inability to
receive signatures, and can act accordingly.
There is no client certificate component of DNSSEC. The trust anchor for the
system is published as part of root zone processes at IANA, and a variety of
mechanisms are available to infer trust in a retrieved trust anchor. (These
could use more work, but they exist.)
There is a (somewhat poorly-characterised and insufficiently-measured)
interaction with a variety of middleware in firewalls, captive hotel hotspot,
etc that will prevent an end host from being able to validate responses from
the DNS, but in those cases the inability to validate is known by the end host;
you still have the option of closing your laptop and reattaching it to the
network somewhere else.
Which is bad, since out-of-box, a home
router doesn't have much in the way of entropy at that point, so you
shouldn't be trying to generate certificates at the time of the first
boot-up, but rather to delay until you've had enough of a chance to
gather some entropy.
In DNSSEC, signatures are generated before publication of zone data, and are
verified by validators. You don't need a high-quality entropy source to
validate a signature. There is no DNSSEC requirement for entropy in a home
router or an end host.
(Or put in a real hardware RNG, but a
race-to-the-bottom in terms of BOM costs makes that not realistic.) I
told him that sounds insane, since you shouldn't need a
certificate/private key in order to do digital signature verification.
I think you were on the right track, there.
Can someone please tell me that BIND isn't being this stupid?
This thread has mainly been about privacy and confidentiality. There is nothing
in DNSSEC that offers either of those, directly (although it's an enabler
through approaches like DANE to provide a framework for secure distribution of
certificates). If every zone was signed and if every response was validated, it
would still be possible to tap queries and tell who was asking for what name,
and what response was returned.
Joe