Re: [owl-users] DNSSEC support

From: Solar Designer <solar_at_private>
Date: Sat, 14 Feb 2009 02:05:36 +0300
Hi Radek,

Thank you for bringing this topic up on the list.  Perhaps we should
have brought it up prior to making the change.

On Fri, Feb 13, 2009 at 02:02:47PM +0100, Radek Michalski wrote:
> I have a question about your last note on Owl-current changes. You wrote
> that you dropped DNSSEC support in bind "which is not useful on the Internet
> at large yet".

Radek is referring to this entry in CHANGES-current:

2009/02/06	Package: bind
Dropped DNSSEC support, which is not useful on the Internet at large
yet.  Those who wish to experiment with DNSSEC at their own risk may
set BUILD_OPENSSL to 1 and rebuild the package.

> I know that I can enable it if I want, but I'd like to ask
> you about fundamental reasons. Why you find it not useful? I don't want to
> start any polemic, but I'd like to know your opinion only.

I wouldn't say I find DNSSEC "not useful", but the current state of
things is that it is "not useful on the Internet at large yet".  When
discussing this on our internal development list, the following surveys
on DNSSEC being (not) ready for use were mentioned:

	http://epic.org/privacy/dnssec/
	http://ccnso.icann.org/surveys/dnssec-survey-report-2007.pdf

Basically, DNSSEC is not yet supported on the root nameservers and on
major TLDs (there are very few exceptions).

When working on Owl, we'd like to focus on code that people actually
use.  We'd like to be providing timely security updates for security
issues that actually matter.  By supporting DNSSEC officially, we had to
provide timely security updates for any DNSSEC-related issues in BIND as
well, even though this hardly mattered to anybody.  In fact, this is
still the case for Owl 2.0-stable, as we did not drop the feature from
the 2.0-stable branch.  So the change in Owl-current will sort-of come
into effect, potentially saving us time, starting with the next release
of Owl.

Besides, we have no definitive answer on whether merely including DNSSEC
support into BIND at compile time, even if such support is not being
made use of by the system's administrator, exposes additional code
within BIND (and maybe OpenSSL) to potential attacks or not.  Spending
our time on auditing (and, if necessary, hardening) BIND's code for
that did not appear to be worthwhile, given that DNSSEC might remain
sort-of experimental for some years to come.

Thus, dropping support of DNSSEC for the lifecycle of the next release
of Owl seemed like the right thing to do - and that's what we did.

Now, I am curious - does anyone in here actually use DNSSEC?  On Owl?
Using our pre-built BIND?

Thanks again,

Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

-- 
To unsubscribe, e-mail owl-users-unsubscribe_at_private and reply
to the automated confirmation request that will be sent to you.
Received on Fri Feb 13 2009 - 15:05:36 PST

This archive was generated by hypermail 2.2.0 : Fri Feb 13 2009 - 15:06:03 PST