[Cerowrt-devel] "DNSSEC considered harmful"

[Cerowrt-devel] "DNSSEC considered harmful"

[Maciej Soltysiak]

[-- Attachment #1: Type: text/plain, Size: 490 bytes --]

Hi,

I read a twitter conversation last night where somebody said DNSSEC is
harmful. I asked why and I got this littany of issues:
http://ianix.com/pub/dnssec-outages.html

I was blown away not only by the sheer evidence of outages, but especially
by the quotes in last sections: Miscellaneous and What a mess.

I don't know, have a look, I just wanted to share as I wasn't aware of
things that didn't go well with DNSSEC. I'm not suggesting anything re
Cerowrt here.

Best regards,
Maciej

[-- Attachment #2: Type: text/html, Size: 666 bytes --]

Re: [Cerowrt-devel] "DNSSEC considered harmful"

[Mikael Abrahamsson]

On Thu, 8 May 2014, Maciej Soltysiak wrote:

> Hi,
>
> I read a twitter conversation last night where somebody said DNSSEC is
> harmful. I asked why and I got this littany of issues:
> http://ianix.com/pub/dnssec-outages.html
>
> I was blown away not only by the sheer evidence of outages, but especially
> by the quotes in last sections: Miscellaneous and What a mess.
>
> I don't know, have a look, I just wanted to share as I wasn't aware of
> things that didn't go well with DNSSEC. I'm not suggesting anything re
> Cerowrt here.

The failure mode of encrypted and authenticated communications is 
catastrophic failure (=nothing works). There are plenty people who says 
the "proceed anyway" option in modern browsers when the certificate 
failures occur, is wrong and the user shouldn't be allowed to continue.

This is why security is so hard, because secsurity protects against a 
potential and unknown attack, whereas when it doesn't work, you fail 
completely and the user just wants things to work so they'd rather turn 
security off and proceed anyway.

-- 
Mikael Abrahamsson    email: swmike@swm.pp.se

Re: [Cerowrt-devel] "DNSSEC considered harmful"

[Dave Taht]

[-- Attachment #1: Type: text/plain, Size: 1270 bytes --]

As issues with any new technology go that's a fairly trivial list when
compared  to heartbleed or the spam filled swamp that email is.

I have a fairly long list of everything that is majorly wrong with the
internet that is worth working on I guess I should publish somewhere.

While I am unhappy negative proofs didn't work very well and it looks like
some sort of whitelist is needed to deal with broken on dnssec sites like
bankofamericas, I still view the benefits as outweighing the negatives.
On May 9, 2014 12:16 AM, "Maciej Soltysiak" <maciej@soltysiak.com> wrote:

> Hi,
>
> I read a twitter conversation last night where somebody said DNSSEC is
> harmful. I asked why and I got this littany of issues:
> http://ianix.com/pub/dnssec-outages.html
>
> I was blown away not only by the sheer evidence of outages, but especially
> by the quotes in last sections: Miscellaneous and What a mess.
>
> I don't know, have a look, I just wanted to share as I wasn't aware of
> things that didn't go well with DNSSEC. I'm not suggesting anything re
> Cerowrt here.
>
> Best regards,
> Maciej
>
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>
>

[-- Attachment #2: Type: text/html, Size: 1885 bytes --]

Re: [Cerowrt-devel] "DNSSEC considered harmful"

[David P. Reed]

[-- Attachment #1: Type: text/plain, Size: 1150 bytes --]

Reading a lot of this stuff suggests at most that DNSSEC is being overhyped and poorly implemented.

As a reason to abandon work on deploying DNSSEC so that it's easier to instantiate man in the middle attacks I find it unconvincing.

Is there an alternative?

On May 8, 2014, Maciej Soltysiak <maciej@soltysiak.com> wrote:
>Hi,
>
>I read a twitter conversation last night where somebody said DNSSEC is
>harmful. I asked why and I got this littany of issues:
>http://ianix.com/pub/dnssec-outages.html
>
>I was blown away not only by the sheer evidence of outages, but
>especially
>by the quotes in last sections: Miscellaneous and What a mess.
>
>I don't know, have a look, I just wanted to share as I wasn't aware of
>things that didn't go well with DNSSEC. I'm not suggesting anything re
>Cerowrt here.
>
>Best regards,
>Maciej
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Cerowrt-devel mailing list
>Cerowrt-devel@lists.bufferbloat.net
>https://lists.bufferbloat.net/listinfo/cerowrt-devel

-- Sent from my Android device with K-@ Mail. Please excuse my brevity.

[-- Attachment #2: Type: text/html, Size: 1416 bytes --]

Re: [Cerowrt-devel] "DNSSEC considered harmful"

[Török Edwin]

On 05/10/2014 04:30 AM, David P. Reed wrote:
> Reading a lot of this stuff suggests at most that DNSSEC is being overhyped and poorly implemented.
> 
> As a reason to abandon work on deploying DNSSEC so that it's easier to instantiate man in the middle attacks I find it unconvincing.
> 
> Is there an alternative?

For protecting just the DNS client <-> DNS server communication there is http://dnscurve.org/index.html
It doesn't seem to provide a way for a domain owner to cryptographically sign the records though.

Best regards,
--Edwin