Why DNSSEC May Not be a Good Thing

Recently, DNSSEC has been rolling out into major DNS servers, including those that service the .org zone and now the root zone. This sounds at first glance like a good thing: all responses from DNS servers are validated, and it becomes impossible for man-in-the-middle attacks to take place.

However, there are commercial uses for “man-in-the-middle” operations; OpenDNS is one that comes immediately to mind. Indeed, OpenDNS is opposed to DNSSEC and has implemented DNSCurve instead.

The main problem (for this discussion) is that DNSSEC completely removes the possibility of a man-in-the-middle – that is, it is impossible for a DNS server like OpenDNS to return a different IP address than the actual DNS address of a machine.

The OpenDNS article also suggests that Akimai and the NTP Pool Project will both be affected by this as well. In these cases, the problem is that when a name is presented to the DNS server, it chooses a particular IP address based on parameters of its choosing – so a one-to-one mapping of DNS name to IP address is irrelevant and impossible.

This also suggests that DNS round robin for clusters would be impossible to implement with DNSSEC active as well.

DNSSEC also interferes with split horizon DNS configurations, although there are ways to make it work.

It will be interesting to see what becomes of DNSSEC if commercial interests like OpenDNS and Akimai speak out against it.

One thought on “Why DNSSEC May Not be a Good Thing”

  1. Well, if you run a service that cannot be used with DNSSEC, you can always choose to not sign your zone. Noone will force you to sign it.

    OpenDNS will still be able to provide their “enhanced” resolver service, and still validate the responses, as long as the clients using their resolvers do not do validation on their own.

    Akamai just annouced that they as of now are offering DNSSEC services, both signing customer zones as well as hosting already signed zones.

    If you mean round-robin with multiple A RRs in the zone, that is perfectly doable with DNSSEC. Just sign the RRset and be done with it. There are also ways to sign dynamic updates. And I’m sure there are (or already exist) ways to sign records “on the fly” with custom made DNS software that return different A-records based on the clients location.

    I personally believe DNSSEC will grow. The speed have already increased quite a bit now when we have the root signed.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: