[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Jessie release goal: DNSSEC as default recursive resolver

On Mon, Oct 28, 2013 at 01:01:13PM +0100, Thijs Kinkhorst wrote:
> On Sat, October 26, 2013 18:52, Ondřej Surý wrote:
> > we can adopt dnssec-trigger
> 
> I think it's indeed very important that a default install uses the DHCP
> provided DNS-servers or locally configured resolvers, because in many
> networks that's the only way to reliably resolve things. dnssec-trigger
> may provide that

It might be worse.  Some ISPs use an equivalent of:
    iptables [...] --dport 53 -j REDIRECT (or DNAT)
to answer all queries locally.  Reasons vary: reigning in Androids
hard-coded for 8.8.8.8, censorship, hijacking NSDOMAIN for ads, etc.

My personal story: years ago, a local garden-variety ISP (~300 users) had a
problem because of computer shop which, in machines sold or repaired there,
set DNS settings to those of a national near-monopoly ISP (for some cargo
cult reasons).  Then, one day, that national ISP turned off recursion for
outside IPs.  "Teh internet broke".  The local ISP's guys came to me, as
blaming the computer shop would end up just in losing customers because
"your internet doesn't work and you lie blaming others -- easily proven
by connecting that computer elsewhere".  I proposed and implemented the
above redirect which neatly fixed the problem.

It's obvious what will happen if that redirected to DNS server blocks
DS/RRSIG/NSEC/...  queries (like typical crap home routers do).  And even
worse, this scenario is indistinguishable from some actual attacks DNSSEC
guards against.

-- 
ᛊᚨᚾᛁᛏᚣ᛫ᛁᛊ᛫ᚠᛟᚱ᛫ᚦᛖ᛫ᚹᛖᚨᚲ
Reply to: