Re: git: BIND: enable DNSSEC support for named and related tools
Constantine Aleksandrovich Murenin wrote:
> Shouldn't DNSSEC be off by default?
>=20
> http://security.FreeBSD.org/advisories/FreeBSD-SA-10:01.bind.asc
Well, this problem is patched in our version afaik.
> http://www.google.com/search?q=3Ddnssec+site:cr.yp.to
>=20
> http://cr.yp.to/talks.html#2009.08.10
> http://cr.yp.to/talks/2009.08.10/slides.pdf
> =C2=AB
> 2009.08.10 09:30 60 minutes invited lecture Canada researchers
> [PDF slides] WOOT 2009. Le Centre Sheraton Hotel, Montreal. "Breaking
> DNSSEC." Keynote lecture. Abstract:
> More than two hundred sites around the world have installed DNSSEC
> during the past year, so attackers can finally gain hands-on
> experience with breaking DNSSEC servers. How quickly does DNSSEC leak
> private information? How powerful are today's DNSSEC servers when they
> are abused as denial-of-service amplifiers? How easy is it to forge
> DNS data from a DNSSEC server?
Yah, DJB isn't making any big revelations there. The amplification
attacks have been known since forever (and I'm amazed they've been
shrugged off for so long). So we end up with this:
http://www.usenix.org/publications/login/2009-12/openpdfs/metzger.pdf
(this is already in Linux).
The other problems DJB is pointing out can make DNSSEC as insecure as
DNS but they are easier to fix and IMHO DNSSEC is still an improvement
over DNS, even with those kinds of problems.
The thing is, there is now a huge push to move to DNSSEC and we started
seeing real adoption in the last 6 months or so. See
http://www.dnssec-deployment.org and http://www.root-dnssec.org. In the
end it's more of a political issue than a technical one; I'm under the
impression DJB's slides are more subtle on that front than his talks were=
;)
That said you make a very good point about the default being off (for
the server) until there's a real-world solution for the amplification
issues.
Aggelos
討論串 (同標題文章)
完整討論串 (本文為第 2 之 3 篇):