Doing nothing is self-evidently viable. Virtually no business transactions in the world are protected by DNSSEC today. None ever have been. The onus is on you to demonstrate that DNSSEC is viable, because "no DNS security at all" clearly does work.
You keep walking face-first into this rhetorical brick wall. If you're going to say "doing nothing isn't viable", you need to have a ready response to the extremely obvious observation that the Internet seems to function pretty OK without DNS security. It's not 1994 anymore. You can't wave your hands and suggest that the Internet is going to get more serious in 10 years and need better security. It already needs the best security it can possibly get. It's just that DNSSEC isn't part of that mix.
As far as I can see, deploying DNSSEC validation on the networks of the affected mail servers - and receiving DNSSEC-signed MX records - would prevent them from delivering mail to servers in the middle.
It's things like this that I want to prevent.
I want a more secure Internet - and in my view DNSSEC helps.
I'm sorry, but I'm going to have to point out that your comment doesn't respond to mine in any way.
Once again: the 2015 Internet functions with no DNS security whatsoever. BGP announcements, themselves unencrypted, aren't protected with DNSSEC. Browsers don't use DNSSEC in any way and are in fact blind to it. Email will remain insecure with or without it. Credit card transactions are protected at a layer higher than DNS, one designed to assume that the DNS would always be insecure.
Why, specifically, is doing nothing to secure the DNS "not viable"?
> I'm sorry, but I'm going to have to point out that your comment doesn't respond to mine in any way.
Hmmm... you said " you need to have a ready response to the extremely obvious observation that the Internet seems to function pretty OK without DNS security "
I gave you one example. Here are some more:
- There are now over 800 XMPP servers with DNSSEC-signed SRV records that can be used to ensure they are talking to the correct servers. https://xmpp.net/reports.php#dnssecsrv
- There are now over 1,000 email servers using TLSA records (DANE) to provide a higher level of security to the TLS connections between email servers. (Viktor Dukhovni of exim)
These are very real cases where adding DNSSEC is, to me, increasing the security of DNS.
Because I'm around examples like these, I see value in securing the DNS. So to me, "doing nothing" is not an option.
Wait. The one place you suggest DNSSEC is adding security value is small servers for an unencrypted insecure messaging service: that is to say, the one place where NSA's almost total ability to manipulate the DNS would (a) most likely go completely undetected and (b) transparently cough up chat transcripts from private message sessions.
And one of the ways you suggest it could help is to allow clients to override TLS certificates and instead trust the government-controlled DNS.
Cert scanning projects and Certificate Transparency (edit: and pinning) may reverse this calculus or may already have reversed it, but of course the TLS certificates are commonly being issued on the strength of what unauthenticated DNS records said at the time of issuance. Adversaries that could tamper with a CA's view of a zone (or a route) at some point could cause cert misissuance, whether or not they could modify the underlying zone contents. The DNS is the underlying evidentiary basis for a substantial number of DV cert issuance events.
Not conceding anything... just pointing out some of the use cases today that are interesting.
Another one is most of the email service providers in Germany, where DNSSEC / DANE are being seen as ways to have a more secure email environment.
The list can go on...
> And one of the ways you suggest it could help is to allow clients to override TLS certificates and instead trust the government-controlled DNS.
:-) Where did I say override, Thomas? You can, if you wish, use a different trust anchor than the current (broken) CA system, but the beauty of DANE is that it gives you a way to add another layer of trust to existing systems. So you can use a CA-issued TLS cert and put a fingerprint in a TLSA record as an added check during a SMTP transaction. You could also check certs with CT... and if it were HTTP you could do pinning as well.
> BGP announcements, themselves unencrypted, aren't protected with DNSSEC.
This is true, but only because BGP announcements don't involve DNS, and so all the DNS security in the world won't help. Agreed that there is a lot of scope for doing better on BGP security, though - and indeed DNS security.
The fact that "all the DNS security in the world won't help" is part of my point. There aren't really any places where "all the DNS security in the world" will help.
I found many of your criticisms of DNSSEC reasonable and well-informed, but the "do nothing" part puzzled me. The information security status quo isn't exactly excellent or ideal. DNS attacks (including monitoring of DNS queries) often form a part of other attacks. Many of those attacks are perhaps best mitigated at other layers, but not all have been, and at least something like query privacy can't be.
(Yes, I know DNSSEC doesn't try to address query privacy, so that problem isn't an argument for DNSSEC itself.)
DNSSEC makes it easier to take servers down, not harder: a tiny UDP DNSSEC request generates a massive DNSSEC response loaded up with RSA key material.
Exactly the same thing we do today! Assume the DNS is poisoned, and delegate security to higher layers so that there's not much point in bothering to poison it. Literally, my answer is DO NOTHING NEW.
> delegate security to higher layers so that there's not much point in bothering to poison it. Literally, my answer is DO NOTHING NEW.
That would not help my server - the DNS poisoning is acting like a DDOS. Sure the random victims know they are on the wrong page, but it doesn't help my server for them to know that.
Isn't exactly the same form of DDOS --- not even reaching how many simpler ways there are to DDOS you --- available in DNSSEC, by injecting non-validating records?
You keep walking face-first into this rhetorical brick wall. If you're going to say "doing nothing isn't viable", you need to have a ready response to the extremely obvious observation that the Internet seems to function pretty OK without DNS security. It's not 1994 anymore. You can't wave your hands and suggest that the Internet is going to get more serious in 10 years and need better security. It already needs the best security it can possibly get. It's just that DNSSEC isn't part of that mix.