against dnssec

[Paul Wouters]

On Sun, 18 Jan 2015, Neal Becker wrote:

>
> The articles author has responded here:
> http://sockpuppet.org/stuff/dnssec-qa.html
>
> This quote caught my attention:
>
> DNSSEC deployment guides go so far as to recommend against deployment of DNSSEC
> validation on end-systems. So significant is the inclination against extending

Which is nonsense. DNSSEC is going to the end nodes (stubs). You can't
outsource security anymore, especially with the Crypto Wars re-ignited.

> DNSSEC all the way to desktops that an additional protocol extension (TSIG) was
> designed in part to provide that capability.

TSIG is for authenticating for write access to a zone, for example to
send an NSUPDATE for a host name. It is not a method for securing the
"last mile".

In general, you cannot trust DHCP or the DNS supplied for by DHCP. In a
way that's fine because it cannot forge DNSSEC signed data. It can at
most withold it and even that will be detected by the stub using it as
a forwarded (and it will stop using the DNS server and try to work
around it - we would do that via dnssec-trigger for now)

This is exactly why DNSSEC will have to go onto the stub resolvers.

Paul