Monday, October 1, 2007

And speaking of trusting DNS

In the previous post, I argued that in practice people put a lot of trust in DNS. For another example, the standard anti-phishing advice is "Type the web address directly into your browser." In a short but potent article entitled DNS Complexity, Paul Vixie (whose name is on several DNS-related RFCs) gives a picture, as of April 2007, of just what a leap of faith this is. A couple of quotes:
[I]t is computationally trivial to pollute a caching name server with data that was never seen or published or approved by the editor of the administrative authority zone that it purports to have come from [...] DNSSEC (DNS Security Extensions) has been in production [sic] for 12 long years, without any production use to date, and we in the Internet standards community look forward to solving and re-solving this problem for many years to come. (But, I'm not bitter about it.) Meanwhile, the only reason that DNS isn't attacked more often is that nobody trusts its authenticity. (A catch-22, perhaps?)
Well, maybe no one who knows DNS intimately trusts its authenticity. Most people trust it without even knowing they're trusting it.
[T]he combination of things that were left unspecified in the protocol, things that were loosely specified in the protocol, and things that were unenforceably specified in the protocol - and implementations in the field that interpret the protocol specifications in all of their myriad ways - describes a rich and multidimensioned space where it's almost deliberately impossible to know exactly what's happening or exactly what would happen under describable circumstances. This holds true for the Internet's routing system as well, but in DNS there are more variables in every axis than in any other distributed system I've studied. We who work in the field think of DNS a little bit as though it were alive, and I hope that after reading this article, you can see why.
Indeed. Everyone together now: "It's aliiiive!"

1 comment:

David Hull said...
This comment has been removed by the author.