On Sun, Aug 10, 2014 at 05:35:03PM -0000, John Levine wrote:
As far as I can tell, we don't have a good word to describe what
DNSSEC does.
Nonsense. "This data was not tampered with while in transit from the
authoritative server to you." That's what it does.
That's not nothing, because DNS works over UDP and it has to cope with
all manner of caches not under your control and not under the
authoritative server's control.
It's true that it doesn't prove to you that the authoritative server
hasn't been subverted. But that is no greater weakness than you had
before: if the authoritative server is subverted, then it can also
give you bad destination data.
It's also true that it can't protect against collusion across the zone
cut: if the parent side of a zone cut (where a DS goes) colludes with
a hijacking child side (where the corresponding DNSKEY goes), then the
zone is well and truly owned.
If the desire is to have very strong end to end credentials, then you
can still actually detect this using DNSSEC and not without it. You
could have a strong certificate (like say an X.509 one) that you
trust. You can also know that the target domain publishes its keys
using DANE, so that you can check that the key you expect is the key
they're using. If you don't get that when looking in the DNS, it
would be prudent to assume the domain has been subverted.
But if you don't trust the parent side of the zone cut (which is often
called "the registry", particularly when it is in control of the
top-level domain), then no, you can't trust that you got where you
wanted.
A
--
Andrew Sullivan
ajs(_at_)anvilwalrusden(_dot_)com