On Thu, Sep 12, 2013 at 1:21 PM, Theodore Ts'o <tytso@xxxxxxx> wrote:
On Thu, Sep 12, 2013 at 04:46:01PM +0000, Ted Lemon wrote:Fair enough, but if the goal is to prevent pervasive surveillance,
>
> The model for this sort of validation is really not on a per-client
> basis, but rather depends on routine cross-validation by various
> DNSSEC operators throughout the network. This will not necessarily
> catch a really focused attack, so it's not a panacea, but it would
> limit the scope of the threat for this sort of attack.
simply using a key exchange which provides perfect forward secrecy
will do that, even given the pathetic state of https security given
the realities of the web and the CA's out there.
Still, I agree with the general precept that perfect should not enemy
of the better, and DNSSEC certainly adds value. I just get worried
about people who seem to think that DNSSEC is a panacea.
+1
DNSSEC is a very useful tool. But don't try to make it do things that it was never designed for.
In particular, I bank with Bank of America, not bankamerica.com [1]. That has profound implications for the types of security that are possible with DNSSEC.
Deployment of DNSSEC permits an Internet user to avoid a downgrade attack which is vital when you have an Internet that is insecure by default and security is the exception. That is what I want DNSSEC to address.
Given Jim's original question, having time good to 1 hour seems perfectly acceptable for purposes of risk mitigation. If you need higher degrees of assurance then use machines that DO have a built in real time clock. If that is you think it is reasonable to use the DNS to publish information that changes more rapidly. When I started doing Internet stuff TTL on DNS records tended to be three days by default. The registries took 24 hours to reflect changes.
As a general rule it is much more productive if people respect the fact that someone just might be suggesting a limitation of an infrastructure because they want to help solve a problem rather than dismissing everything as FUD. One of the main reasons it has taken so long to get DNSSEC to this stage is that honest attempts to make the system practical were treated as covert sabotage attempts.
[1] Actually I don't it is an example.
-- Website: http://hallambaker.com/