lists.isc.org rDNS failed, DNSSEC?

Marc Lampo marc.lampo at eurid.eu
Tue Feb 28 12:16:16 UTC 2012 

Please allow a, partly/mostly, non-technical feedback
as security officer for a tld (.eu)
 
First of all : I do not deny DNSSEC adds a challenge for administrators.
They must understand that adding this additional SECurity aspect,
will generate extra work (keygeneration/re-generation/signing and
re-signing).
Point taken, but let me come back on those later.
 
The (non-technical) response :
When I get in my car, I put my safety belt on.
(I know some may point at undesired effects,
  and I do not want to have that discussion in this list),
but the point is :
I do hope I will never need the protection offered by the safety belt,
but "if", then I'll be happy I took the precaution.
 
The similarity to DNSSEC is that we all hope we will not need the
protection it offers,
but "if"  an attacker finds it interesting to attempt to exploit,
I will be glad I took the precaution of activating DNSSEC.
 
 
How popular are these attacks against which DNSSEC offers protection ?
>From what I can see, my view being limited, the most 'effective',
for lack of a better word, in 2011 were not DNS related.   
Social engineering, making people "do" something (click URL, open
attachment)
is a far more effective way, for attackers, to get their thing done.
 
  
Does this mean we don't have to put the safety belt on ?
I daresay : no.
Attackers constantly look for new ways, therefore if an attacker comes up
with an approach
that becomes popular because of ease/speed/effectiveness and that approach
would have been prevented by DNSSEC, we would have been happy that we
already deployed DNSSEC.  
 
 
To conclude (some technical) suggestions :
- when offering DNSSEC on authoritative name servers,
   try to rely on automation (like scripts).
  (rather than humans to type - and re-type - the same commands over and
over)
- allow yourself a period of testing.
   Do *not* immediately have DS information put in the parent zone
    (thus completing the chain-of-trust
     but also : making validation mandatory.
     After all : this is a *test* period)
   ((look how TLDs migrate towards DNSSEC.
     Exactly the same :
      first offer DNSKEYs and RRSIGs, but no DS in the root-zone))
- and may I also plead for validation on caching/forwarding name servers ?
   Because it makes no sense to add signatures that can be validated to
DNS replies,
    if the signatures are simply ignored.
 
 
Kind regards,
 
Marc Lampo
Security Officer
EURid (for .eu)

-----Original Message-----
From: michoski [mailto:michoski at cisco.com] 
Sent: 24 February 2012 06:01 AM
To: Vinny_Abello at Dell.com; kob6558 at gmail.com; marka at isc.org
Cc: bind-users at isc.org
Subject: Re: lists.isc.org rDNS failed, DNSSEC?

On 2/23/12 8:48 PM, "Vinny_Abello at Dell.com" <Vinny_Abello at Dell.com> wrote:

> I kind of had the same thought... If ISC had a DNS outage due to expired
> signatures of a zone, what chance do I have in successfully deploying
and
> maintaining DNSSEC for my zones? Sure, everyone makes mistakes, but I
think it
> speaks volumes to the inherent complexity and the further need for
simplifying
> the maintenance of signed zones. I know that progress is continually
being
> made on this front and I think others agree... Just pointing it out
again. I
> have nothing against DNSSEC, personally. I'd love to deploy it. I just
don't
> have the time to maintain it or worry about maintaining it right now.

Much agreed, though I want to point out that you should only generally
deploy DNSSEC (or any new technology?) if the benefit outweighs the cost.
Adopting new technology "just because" usually leads to trouble (or
overworked admins that give up and go elsewhere).

What's the potential risk to your organization if the mythical "determined
attacker" is able to negatively or positively spoof resource records under
your control?  Maybe not much for you, maybe millions for financial orgs.

If the potential cost to the organization is high enough...  It will
justify
paying a team of folks to maintain DNSSEC.  :-)

That said, I too look forward to a day when security is easier and more
automatic.  Much progress has been made, and I have high hopes and faith
in
ISC and the DNS community at large.

http://www.jnd.org/books.html

-- 
Time is the coin of your life. It is the only coin you have, and only you
can determine how it will be spent. Be careful lest you let other people
spend it for you.  -- Carl Sandburg

More information about the bind-users mailing list