Date: Fri, 06 Dec 2013 17:01:56 -0600 From: Mark Felder <feld@FreeBSD.org> To: Mark Andrews <marka@isc.org> Cc: freebsd-stable@freebsd.org Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <1386370916.5659.56527093.3A6A1DF1@webmail.messagingengine.com> In-Reply-To: <20131206223300.89253B55861@rock.dv.isc.org> References: <529D9CC5.8060709@rancid.berkeley.edu> <20131204095855.GY29825@droso.dk> <alpine.BSF.2.00.1312041212000.2022@badger.tharned.org> <E915D8A5-1CD0-465B-BAD1-59C45C9415F4@gid.co.uk> <20131205193815.05de3829de9e33197fe210ac@getmail.no> <20131206143944.4873391d@suse3> <20131206220016.BADCAB556F4@rock.dv.isc.org> <1386367748.17212.56515229.7C50AFEB@webmail.messagingengine.com> <20131206223300.89253B55861@rock.dv.isc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 6, 2013, at 16:33, Mark Andrews wrote: > > In message > <1386367748.17212.56515229.7C50AFEB@webmail.messagingengine.com>, Ma > rk Felder writes: > > On Fri, Dec 6, 2013, at 16:00, Mark Andrews wrote: > > > > > > But they should all be running a resursive validating resolver on > > > every box. > > > > > > > Are you *really* suggesting that I should run a recursive validating > > server on every single server I admin? > > I'm suggesting that it should be run on *every* machine in the > world, until all the applications that use data from the DNS have > been upgraded to validate the data they get from the DNS, need to > be be running a validating resolver. > > MiTM attacks happen all the time in the DNS. > > For mobile devices I would say "Don't leave home without one" to > use a well know slogan. > In a world where every zone is signed (DNSSEC) I might agree, but what's preventing your traffic from being a victim of a MITM attack when 99% of the internet doesn't have DNSSEC deployed? Having a local resolver doesn't improve your security in a statistically significant way. I'm a small fish working in a small ISP, and I admin the DNS servers for maybe 5000 zones. I have zero DNSSEC. In 2014 I expect to maybe have one zone (ours) with DNSSEC. I do not even expect our customers to request or understand DNSSEC by 2020 -- not even the local banks and credit unions we are authoritative for. On the other hand, running a new daemon on all of our servers -- many of them lightweight VMs -- is likely out of the question; we're time constrained as-is. (My DNS servers are on a trusted network; if they're in our network we have a whole host of different problems. If they're on the server itself nothing can be trusted; they'd just hijack the network stack anyway.) Anyway, this is just my two cents; the idea is noble and well-intentioned but I don't think it will gain traction. Security is always an uphill battle. :-( I'm honestly more worried about BGP route hijacking / MiTM than DNS MiTM attacks. I appreciate your thoughts and insight, though.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1386370916.5659.56527093.3A6A1DF1>