<div dir="ltr"><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_extra"><div class="gmail_quote">On Mon, Apr 14, 2014 at 1:55 AM, Viktor Dukhovni <span dir="ltr"><<a href="mailto:cryptography@dukhovni.org" target="_blank">cryptography@dukhovni.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="">On Sun, Apr 13, 2014 at 12:08:42PM -0400, ianG wrote:<br>
<br>
> > Of course all of this is predicated on the notion that the DNSSEC<br>
> > last-mile problems will be solved, which may require pressure for<br>
> > them to be solved, which may require some non-trivial adoption, a<br>
> > catch-22 perhaps.<br>
><br>
> What is the DNSSEC last-mile problem? It's the week for displaying<br>
> ignorance, seemingly.<br>
<br>
</div>DNSSEC works fine on the Internet backbone, but is not yet widely<br>
compatible with "last-mile" networks. Various hotel, airport,<br>
coffee-shop captive portals, behind some firewalls, ...<br>
<br>
These are rarely environments in which SMTP MTAs find themselves,<br>
but they are rather more common for browsers.<br>
<br>
There are probably folks on this list more knowledgeable than I<br>
on the various last-mime barriers to DNSSEC.</blockquote><div> </div><div class="gmail_default" style="font-size:small">The last mile hold up for DNSSEC has been one of the typical "tragedy of the commons" funding problem plaguing so much of our infrastructure software. Those who should support its deployment have been too clueless to fund key software, as has happened to our detriment with OpenSSL. For DNSSEC, however, there is a glimmer of light, courtesy of Comcast.</div>
<div> </div><div class="gmail_default" style="font-size:small">The most common DNS implementation in the world is Dnsmasq <a href="http://www.thekelleys.org.uk/dnsmasq/doc.html">http://www.thekelleys.org.uk/dnsmasq/doc.html</a>, used on home routers and many other devices, and as a local caching resolver on Android and Linux. Its author is Simon Kelley.</div>
<div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">The latest release (2.69) of Dnsmasq has support for DNSSEC.</div><div class="gmail_default" style="font-size:small">
<br></div><div class="gmail_default" style="font-size:small">You can thank Jason Livingood of Comcast for arranging for Comcast to support Simon's work on Dnsmasq to implement DNSSEC; for the first time Simon has been able to work on Dnsmasq full time since last summer to bring DNSSEC in Dnsmasq to completion.</div>
<div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">We are shaking down this version of Dnsmasq in CeroWrt <a href="http://www.bufferbloat.net/projects/cerowrt">http://www.bufferbloat.net/projects/cerowrt</a> which you should regard as an advanced build of OpenWrt (<a href="http://www.openwrt.org">www.openwrt.org</a>). Both Google and Comcast DNS infrastructures fully support DNSSEC; we can just plug in our router and "the right thing happens" when you do. Relatively few sites have signed their domains at this date. </div>
<div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Unfortunately, the home router industry is seriously dysfunctional; don't expect widespread deployment of this version of Dnsmasq for 3-4 years.</div>
<div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Everyone on this list is clever enough run open source firmware in your home environments, aren't you? Or do you prefer the challenge of having trivial to crack, man in the middle boxes in your personal environment, complete with radios for better listening and cracking pleasure as honeypots? And this while for the last several months "The Moon" worm has been accumulating the addresses of your home router, for some future exploit?</div>
<div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">And you all help test and look for vulnerabilities in the technology we all depend on during its development, so that problems are discovered long before widespread deployment, don't you?</div>
<div class="gmail_default" style="font-size:small"> - Jim</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">
<br></div></div></div></div>