One core problem with DNSSEC

August 10, 2019

As part of my irritation with DNSSEC that led to me turning off DNSSEC in my Unbounds, I said on Twitter:

As a sysadmin, my view of DNSSEC is that life is too short for me to debug other people's configuration problems.

One fundamental problem of DNSSEC today is that it suffers from the false positive problem, the same one that security alerts suffer from. In practice today, for almost all people almost all of the time, a DNSSEC failure is not a genuine attack; it is a configuration mistake, and the configuration mistake is almost never on the side making the DNS query. This means that almost all of the time, DNSSEC acts by stopping you from doing something safe that you want to do and further, you can't fix the DNSSEC problem except by turning off DNSSEC, because it's someone else's mistake (in configuration, in operation, or in whatever).

This is not a recipe for a nice experience for actual people; this is a recipe for mathematical security. As such, it is a security failure. Any security system that is overwhelmed by false positives has absolutely failed to tackle the real problem, which is that your security system must be useful. Security systems that are not useful get turned off, and that is exactly what is happening with DNSSEC.

Another big problem with DNSSEC today, one that magnifies the core problem, is that it has terrible visibility and diagnostics (at least in common implementations). If there is a DNSSEC related failure, generally what happens is that you don't get DNS answers. You don't get told that what has failed is DNSSEC and you don't get a chance to bypass it and proceed anyway (however dangerous that choice might be in practice); instead you mysteriously fail. Mysterious failures are what you could politely call a terrible user experience. Mysterious failures that are not your fault and that you cannot fix (except by turning off DNSSEC) are worse.

(DNSSEC advocates may protest that this is not how it is supposed to work. I am afraid that security measures exist in the real world, where how it actually works is what actually matters. Once again, security is not mathematics.)

PS: To the extent that people are experiencing DNS attacks, the modern Internet world has chosen to deal with it in another way, through HTTPS and TLS in general.

(I have written before about my older experiences with DNSSEC and how I thought DNSSEC would have to be used in the real world. Needless to say, the DNSSEC people have continued with the program of 'everyone must get it right all the time, no errors allowed, hard failures for everyone' since back then in 2014. For my views on DNSSEC in general, well, see this.)

Written on 10 August 2019.
« Turning off DNSSEC in my Unbound instances
Roughly when the Linux Out-Of-Memory killer triggers (as of mid-2019) »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Aug 10 17:03:48 2019
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.