[Cryptography] Doing DNS properly Re: Apple's iCloud+ "VPN"

[Viktor Dukhovni]

> On 26 Jun 2021, at 2:17 pm, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> 
> 4) Nobody can use DNSSEC errors to reject responses because it is far more likely
> these are due to misconfiguration than an attack.

The DNS wire protocol and it ad-hoc presentation formats are indeed creaky legacies,
but the network effect makes it rather hard to replace, so we keep patching it as
best we can.

That said, both Google's and Cloudflare's public DNS servers, used by a large
community of users actually do SERVFAIL on DNSSEC validation failure, and the
sky's not falling.  These are many other resolvers doing enforced validation.

While it is true that misconfiguration is more common than MiTM attacks, the
actual failure rate is rather low, and most of the failing domains are parked,
or otherwise not widely used.

While validation is not yet as widely deployed as one might hope, it is
in fact reasonably widely enabled.

> Meanwhile the resident NSA shill successfully turned DPRIV and DANE into
> protocols that would block deployment of any competent effort in that area.

IETF politics can account for most protocol complexity, or lack of a coherent
cross-protocol design, without any need to seek NSA shills.

Point solutions that can be deployed piecemeal, have an evolutionary advantage
on the Internet over more architecturally ambitious designs.

-- 
	Viktor.