On 2013-09-06, at 10:16, Theodore Ts'o <tytso@xxxxxxx> wrote: > On Fri, Sep 06, 2013 at 06:20:48AM -0700, Pete Resnick wrote: >> >> In email, >> we insist that you authenticate the recipient's certificate before >> we allow you to install it and to start encrypting, and prefer to >> send things in the clear until that is done. That's silly and is >> based on the assumption that encryption isn't worth doing *until* we >> know it's going to be done completely safely. > > Speaking of which, Jim Gettys was trying to tell me yesterday that > BIND refuses to do DNSSEC lookups until the endpoint client has > generated a certificate. All modern DNSSEC-capable resolvers (regardless of whether validation has been turned on) will set DO=1 in the EDNS0 header and will retrieve signatures in responses if they are available. BIND9 is not a counter-example. Regardless, an end host downstream of a resolver that behaves differently (but that is capable of and desires to perform its own validation) can detect an inability to receive signatures, and can act accordingly. There is no client certificate component of DNSSEC. The trust anchor for the system is published as part of root zone processes at IANA, and a variety of mechanisms are available to infer trust in a retrieved trust anchor. (These could use more work, but they exist.) There is a (somewhat poorly-characterised and insufficiently-measured) interaction with a variety of middleware in firewalls, captive hotel hotspot, etc that will prevent an end host from being able to validate responses from the DNS, but in those cases the inability to validate is known by the end host; you still have the option of closing your laptop and reattaching it to the network somewhere else. > Which is bad, since out-of-box, a home > router doesn't have much in the way of entropy at that point, so you > shouldn't be trying to generate certificates at the time of the first > boot-up, but rather to delay until you've had enough of a chance to > gather some entropy. In DNSSEC, signatures are generated before publication of zone data, and are verified by validators. You don't need a high-quality entropy source to validate a signature. There is no DNSSEC requirement for entropy in a home router or an end host. > (Or put in a real hardware RNG, but a > race-to-the-bottom in terms of BOM costs makes that not realistic.) I > told him that sounds insane, since you shouldn't need a > certificate/private key in order to do digital signature verification. I think you were on the right track, there. > Can someone please tell me that BIND isn't being this stupid? This thread has mainly been about privacy and confidentiality. There is nothing in DNSSEC that offers either of those, directly (although it's an enabler through approaches like DANE to provide a framework for secure distribution of certificates). If every zone was signed and if every response was validated, it would still be possible to tap queries and tell who was asking for what name, and what response was returned. Joe