feature survey -- bind9 dnssec -- autogenerate missing signatures

Danny Mayer mayer at ntp.isc.org
Sun Oct 12 03:00:45 UTC 2008


Paul Vixie wrote:
>>   But, just remember: you haven't introduced any new attacks by having
>> the key available, unencrypted, on the DNS primary.
> 
> well, this is far afield from bind itself, getting into the overall topic
> of dnssec operations, but i disagree.  one of the things dnssec is supposed
> to result in is dnssec-aware applications who behave differently in the face
> of signed results.  these new behaviours create a new collective risk, such
> that a breakin to the primary server without dnssec won't be "as risky" as a
> breakin to the primary server with dnssec.  but that's in the future, when
> dnssec is ubquitous and dnssec-aware apps actually exist.  for now, the above
> statement is operable.

As I said elsewhere, that would require that the application has a way
of knowing whether or not the results from getaddrinfo() and friends has
been "certified" as being valid but there is no way to return such
information at least not yet. So what is needed is a way of returning
that information. The other part of this is to have a way of specifying
that DNSSEC be used to ensure valid answers. I'd like to dub these
issues the "Last Mile Problem". I don't know if these are being
addressed anywhere, but it really isn't a BIND or DNS issue as much as
it is an API issue. The application needs to have the opportunity of
being able to find that information out or requiring it.

Danny


More information about the bind-workers mailing list