The worst thing about the exploit -- Have you done your part?

Mark Elkins mje at posix.co.za
Tue Jul 29 16:46:24 UTC 2008 

On Tue, 2008-07-29 at 19:31 +1000, Mark Andrews wrote:
> > On Sat, 26 Jul 2008, Alan Clegg wrote:
> > 
> > > Date: Sat, 26 Jul 2008 11:41:10 -0400
> > > From: Alan Clegg <Alan_Clegg at isc.org>
> > > To: Ben Croswell <ben.croswell at gmail.com>, DNS BIND <bind-users at isc.org>
> > > Subject: Re: The worst thing about the exploit -- Have you done your part?
> > > 
> > > Ben Croswell wrote:
> > >> I also see a lot of people calling for DNSSEC to fix the underlying
> > >> issue, but unless I am mistaken DNSSEC won't fix the issue unless we

> > I got to ask the painfully obvious question...  Why hasn't DNSSEC started
> > at the top?  Why aren't the root servers supporting it?
> 
> 	Layer 9 politics.  Talk to your local member and ask then to request
> 	that the root gets signed.

> 	Com is waiting for NSEC3 support.  BIND 9.6 will have NSEC3 support.
> 	NSEC3 removes the ability to enumerate the zone contents.  It also
> 	reduces the size requirements when optout is in use making the size
> 	changes proportional to the number of secure delegations.
> 
> 	Mark
> > Jeff Earickson
> > Colby College


If everyone was overnight running DNSSEC - we'd have a more secure DNS
system - but what applications actually use that knowledge?
I know there is (was? - can't seem to locate it just now) a firefox
extension to get it to show the status of a dns lookup (No dnssec,
dnssec and signed OK, dnssec with bad sig) and to show a status bar in
some appropriate colour - but what about all the other applications that
use DNS? I understand that Firefox will still use "bad" (Signed but
incorrect signature) DNS - kinda like the Padlock icon for secure web
pages - which Joe Public still ignores....

So what about all other apps that use DNS?
Don't they have to be 'fixed' too?
Should the application refuse to work if it encounters a bad DNSSEC signature?
(Any guesses as to when Bind 9.6 will appear?)

-- 
  .  .     ___. .__      Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

More information about the bind-users mailing list