D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] DNSSEC was Re: IP Source Address Spoofing and why Open DNS resolvers will get you hacked was Re: Open DNS Resolvers

 

On 18/05/13 03:23, Simon Waters wrote:
> On 18/05/13 01:12, bad apple wrote:
>> Even the techies I know seem to have a blind spot about this: SSH, mail
>> and web servers are all locked down and well looked after whilst DNS
>> just swings in the wind. There is even a three-step wizard in bloody
>> Server 2012 (Microsoft) that correctly implements DNSSEC on your zones,
>> for the love of god. So, if you admin any DNS servers and aren't running
>> DNSSEC on them, please also kill yourself now.
> I don't know it is a blind spot, it may be a rational response to the
> environment which exists.
>
> DNSSEC is not simply a case of signing your zones, anyone can sign a
> zone file it is one command in dnssec-tools (who needs a wizard?), it
> also requires trust management, and that is the messy bit.
>
> It was only just over 2 years since the folks running .ORG finished
> convincing themselves they could do a zone transfer successfully with
> DNSSEC, and they had to make some fixes after that report was done to
> their interfaces.
>
> To choose to implement it, we'd do it everywhere (we can't be messing
> about with some TLDs and not others, some registrars and not others), we
> need every registry we use to be on board and up to speed, I think that
> is now (finally) the case. We also want most registrars we do transfers
> with, which is potentially all of them, to be up to speed, to avoid
> outage on zone transfers (not happened yet).
>
> In our case we would probably have to switch most of our domains to a
> new registrar, as one of the current ones doesn't implement a proper
> procedure for DS delegation yet (they are late to the party). As such it
> can't be routine, they still take DS delegation requests by email, I can
> send then several thousand emails fairly swiftly if I choose to
> implement DNSSEC. I'm guessing it might take them a while to process them.
>
> The upshot of getting it right is great, get it wrong and you break a
> small number of user's access to the DNS in ways which aren't reported
> to end users clearly. This is not a good situation to present to management:
>
> "I want to rewrite all the scripts we use for DNS management, I want to
> make fundamental changes to how DNS works here, I want to migrate all
> zones to a new registrar, it will protect a few people from an attack
> you've never seen as a problem. I want to complicate an already messy
> domain transfer procedure. The best case scenario is everything works as
> before, the worst case scenario is we break the DNS for some of our
> customers users (they'll know it is our fault but they might not be able
> to explain what we did in their support requests)".
>
> Management are likely to say "can we do this some other way", and I can
> say "we could sell all our clients who want this sort of protection SSL
> certificates and pocket a tidy profit per client" in the process.
>
> The cost of implementation of these changes is going to be fairly
> substantial, and the benefits are marginal (we can say we support DNSSEC
> on the website when selling domains). These types of change are not
> going to happen unless there is a mandate - like .GOV users had, or a
> client who demands it and is big enough financially to be worth the costs.
>
> Most end users as far as I can establish are not validating DNSSEC
> responses.
>
> Folks do try:
>
> http://dnssectest.sidn.nl/test.php
>
> http://dnssec.vs.uni-due.de/
>
> I'm protected - when I looked at public open resolvers not long ago, I
> found the situation was dire.
>
> Seems Google now do DNSSEC validation on 8.8.8.8 and 8.8.4.4 seems it
> was added 12 days ago!
>
> http://googleonlinesecurity.blogspot.co.uk/2013/03/google-public-dns-now-supports-dnssec.html
>
> Validating DNSSEC is the easy bit all most people need to do is switch
> it on in your resolver software. I can imagine Google's was harder work
> than that purely from a question of scale.
>
> If I was trying hard to sell DNSSEC to management, I might plug it is as
> making it harder for clients to move domains away ;)
>

+5: "Insightful"

Saved me a massive future rant. Also, in a moment of madness when I
typed that earlier email I hadn't even considered the situation with..
*shudders* registrars. Oh well, I guess, like IPv6 this is just another
one of those things that we're just going to have to wait for mainstream
adoption to kick in before we can all enjoy it. By which point it will
of course probably be obsolete.

>>>
If I was trying hard to sell DNSSEC to management, I might plug it is as
making it harder for clients to move domains away ;)

+5: "Genius"

Damn, I should have thought of this angle before... Duly noted, trying
it on Monday!

Regards

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq