[Cryptography] DNSSEC last mile (was) Re: Preliminary review of the other Applied Cryptography

Jim Gettys jg at freedesktop.org
Mon Apr 14 11:04:07 EDT 2014 

On Mon, Apr 14, 2014 at 1:55 AM, Viktor Dukhovni
<cryptography at dukhovni.org>wrote:

> On Sun, Apr 13, 2014 at 12:08:42PM -0400, ianG wrote:
>
> > > Of course all of this is predicated on the notion that the DNSSEC
> > > last-mile problems will be solved, which may require pressure for
> > > them to be solved, which may require some non-trivial adoption, a
> > > catch-22 perhaps.
> >
> > What is the DNSSEC last-mile problem?  It's the week for displaying
> > ignorance, seemingly.
>
> DNSSEC works fine on the Internet backbone, but is not yet widely
> compatible with "last-mile" networks.  Various hotel, airport,
> coffee-shop captive portals, behind some firewalls, ...
>
> These are rarely environments in which SMTP MTAs find themselves,
> but they are rather more common for browsers.
>
> There are probably folks on this list more knowledgeable than I
> on the various last-mime barriers to DNSSEC.


​The last mile hold up for DNSSEC has been one of the typical "tragedy of
the commons" funding problem plaguing so much of our infrastructure
software.  Those who should support its deployment have been too clueless
to fund key software, as has happened to our detriment with OpenSSL.  For
DNSSEC, however, there is a glimmer of light, courtesy of Comcast.

​The most common DNS implementation in the world is Dnsmasq​
http://www.thekelleys.org.uk/dnsmasq/doc.html, used on home routers and
many other devices, and as a local caching resolver on Android and Linux.
 Its author is Simon Kelley.

The latest release  (2.69) of Dnsmasq has support for DNSSEC.

You can thank Jason Livingood of Comcast for arranging for Comcast to
support Simon's work on Dnsmasq to implement DNSSEC; for the first time
Simon has been able to work on Dnsmasq full time since last summer to bring
DNSSEC in Dnsmasq to completion.

We are shaking down this version of Dnsmasq in CeroWrt
http://www.bufferbloat.net/projects/cerowrt which you should regard as an
advanced build of OpenWrt (www.openwrt.org).  Both Google and Comcast DNS
infrastructures fully support DNSSEC; we can just plug in our router and
"the right thing happens" when you do. Relatively few sites have signed
their domains at this date.

Unfortunately, the home router industry is seriously dysfunctional; don't
expect widespread deployment of this version of Dnsmasq for 3-4 years.

Everyone on this list is clever enough run open source firmware in your
home environments, aren't you?  Or do you prefer the challenge of having
trivial to crack, man in the middle boxes in your personal environment,
complete with radios for better listening and cracking pleasure as
honeypots? And this while for the last several months "The Moon" worm has
been accumulating the addresses of your home router, for some future
exploit?

And you all help test and look for vulnerabilities in the technology we all
depend on during its development,  so that problems are discovered long
before widespread deployment, don't you?
                                                       - Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140414/645d02db/attachment.html>

More information about the cryptography mailing list