DNS/Weaver/dnsopsについて、ここに記述してください。 {{{ Sender: Nicholas Weaver > On Mar 13, 2015, at 7:59 PM, Paul Vixie wrote: > > Nicholas Weaver Saturday, March 14, 2015 5:07 AM >> >>> ... >>> >>> Overall, unless you are validating on the end host rather than the recursive resolver, DNSSEC does a lot of harm from misconfiguration-DOS, but almost no good. >> > several of us jumped for joy in 2008 when kaminsky showed rdns poisoning to be a trivial exercise, because it finally provided justification for what was at that time 12 years of apparently-wasted effort on DNSSEC. But it didn't justify DNSSEC, even at the time. Between actually adding in a bit more entropy in the request through 0x20 and port randomization, and more importantly cleaning up the glue policy for recursive resolvers (which Unbound did), you close the door on off-path attackers: both making races harder AND eliminating the "race until win" property. In fact, several have viewed the glue policy cleanup which gets to he root cause of the Kaminski problem as detrimental specifically because of the desire to force DNSSEC adoption. > so we'll keep pushing the crap system we have, uphill all the way, noone loving it, and almost everyone in fact hating it. we've now spent more calendar- and person-years on DNSSEC than was spent on the entire IPv4 protocol suite (including DNS itself) as of 1996 when the DNSSEC effort began. ugly, ugly, ugly. At which point is it sunk cost fallacy? "DNS is insecure, live with it" may be the best answer. Why keep throwing good effort after bad? It certainly is a hell of a lot better than the DOS attack that is recursive resolver validation which provides almost no meaningful security gain. If I was Comcast, after the HBO DNSSEC mess-up, on top of previous mess-ups where Comcast inevitably gets the blame, I'd be really really tempted to turn OFF DNSSEC validation. It has failed. -- Nicholas Weaver it is a tale, told by an idiot, }}}