Andrew,
Again, my point --and concern-- is not how DNSSEC works or the
statements we make about it when we are being careful. It is
about people engaging in hyperbole of the nature of "you have
DNSSEC, now you are safe" (with the implication of "from all
sorts of attacks") or using other language that implies that the
threats that you (and John L.) have identified.
As an example, I've heard ISPs say things that a normal human
being would interpret as "now that we have DNSSEC at our DNS
servers, you are safe from phishing". The reality, of course,
is that the trust relationships between my desktop (if it
doesn't do its own validation) and that ISP's forwarding DNS
server are, at best, complex (as others have pointed out as
well) and that most of the key issues in phishing have nothing
to do with anything DNSSEC addresses directly. As you point
out, the protection gets stronger with out of bank knowledge of
the types you identify, but the typical user doesn't have that
knowledge, wouldn't know what to do with it if he or she did,
and, so on. Most important, what they think the ISP is telling
them is "you are safe now" and not "this is one more tool that,
when added to others, caution, some skill, and good judgment,
will considerably increase your resistance to attacks". The
latter is certainly true. The former, at best, contributes to a
dangerous and false sense of security.
To summarize, I'm not concerned with the technology not working
as designed. I'm concerned with a false advertising and
perception problem, whether that is intentional or just
carelessness.
john
--On Sunday, August 10, 2014 14:18 -0400 Andrew Sullivan
<ajs(_at_)anvilwalrusden(_dot_)com> wrote:
On Sun, Aug 10, 2014 at 05:35:03PM -0000, John Levine wrote:
As far as I can tell, we don't have a good word to describe
what DNSSEC does.
Nonsense. "This data was not tampered with while in transit
from the authoritative server to you." That's what it does.
That's not nothing, because DNS works over UDP and it has to
cope with all manner of caches not under your control and not
under the authoritative server's control.
It's true that it doesn't prove to you that the authoritative
server hasn't been subverted. But that is no greater weakness
than you had before: if the authoritative server is subverted,
then it can also give you bad destination data.
It's also true that it can't protect against collusion across
the zone cut: if the parent side of a zone cut (where a DS
goes) colludes with a hijacking child side (where the
corresponding DNSKEY goes), then the zone is well and truly
owned.
If the desire is to have very strong end to end credentials,
then you can still actually detect this using DNSSEC and not
without it. You could have a strong certificate (like say an
X.509 one) that you trust. You can also know that the target
domain publishes its keys using DANE, so that you can check
that the key you expect is the key they're using. If you
don't get that when looking in the DNS, it would be prudent to
assume the domain has been subverted.
But if you don't trust the parent side of the zone cut (which
is often called "the registry", particularly when it is in
control of the top-level domain), then no, you can't trust
that you got where you wanted.
A