Paths2Trust

Earlier, I wrote about making DNSSEC deployment happen more widely by separating out the work for DNSSEC signing (the "transmitters") from DNSSEC validating resolvers (the "receivers").  Baby steps are going to be needed to get each side of the equation working, and to eventually build up to a huge deployment.

The activities necessary to get the "receivers" ramped up are: awareness, education, easy-trust-anchors, and diagnostics.  Last-time I wrote about easy-trust-anchors.  Let's go back to awareness & education.

I wrote to the author of the "DNSSEC in 6 minutes" but haven't heard back yet.  I hope to hear soon, but if not, I'll develop my own document.  The cookbook can be quite simple, especially if it references the TAR retrieval scripts.  But how do we get people to know how to do this?  This is the AWARENESS issue.  And maybe INCENTIVES, too...

For starters, we can work with the DNSSEC deployment working group, chaired by Jim Galvin.  There's bound to be good ideas to get wide distribution of the cookbook. 

A new group, the DNSSEC Industry Coalition, has also just formed, as written up in this NetworkWorld article.  As a member of this group, I am thrilled that we are talking about using DNSSEC for more than just protecting against cache poisoning, but using secure DNS to enable new killer applications such as anti-spam and other ideas.  This type of thing might provide the INCENTIVES to get the masses rolling.  Getting registrars involved in the education process will surely help, and that is a major focus of the industry coalition.

In the meantime, if you have any ideas on awareness and education, send them to me and I'll pass them on to the group.

One of the phrases used in high-tech that drives me absolutely crazy is "all the customer has to do is..." followed by a lengthy set of steps the customer ISN'T going to do.  Not if there is an easier alternative...like doing nothing.

So that's why I don't like the current solutions for deploying DNSSEC trust anchors.  And why I believe it's going to get simpler with some automation scripts.

Does trust-anchor management need automation?  after all, it only takes two lines in the named.conf file:  "dnssec-enable: yes" and a "$include trust_anchors_and_dlv".

But then it gets trickier.  Where do I get the trust anchors file?  How many are there?  How do I know I can trust them?

There is talk of building trust-anchor repositories, but they don't quite exist yet.  Even when they do, I believe a small script needs to be published that Joe the Administrator can download from sourceforge or equivalent.  The script would "phone home" on a regular basis to securely retrieve trust-anchors, validate them against a secure redundant copy elsewhere, verifies signatures, etc.  It might even register itself each time it runs so that a world-wide counter of VALIDATING RESOLVERS could be updated.  Then we could have an animated map of the world display how fast DNSSEC resolvers are being deployed, just like Dan Kaminsky did at Black Hat to show how fast the DNS patch was deployed.

Is this hard to do?  Nope.  Look for it soon. 

In the meantime, if you want to manually install some trust-anchors, I'd suggest leveraging the work done by Duane Wessels over at DNS-OARC.  He has an open validating resolver with trust anchors.  It even uses the ISC DLV which is great!  I tried resolving my company name, www.secure64.com with this resolver and it came back with the AD bit set to indicate "Authenticated Data".  Perfect.  To use the Validating Resolver, check out he secure web site https://www.dns-oarc.net/oarc/services/odvr

To see how he did it:

https://www.dns-oarc.net/files/odvr/configs/bind/named.conf
https://www.dns-oarc.net/files/odvr/configs/bind/trusted-keys.conf

https://www.dns-oarc.net/files/odvr/configs/unbound/unbound.conf
https://www.dns-oarc.net/files/odvr/configs/unbound/trusted-keys.conf
https://www.dns-oarc.net/files/odvr/configs/unbound/dlv-keys.conf

OK, getting back to the main subject....

How might we get the bazillion DNS caching servers out there to turn on DNSSEC validation (the "receiver" part of DNSSEC)?  Well, in fact, there are multiple activities that need to ramp up to enable a DNSSEC tipping point:

1. Awareness: all the "Joe the Administrator" guys have to know that it's a good idea to turn this on, don't-cha-know

2. Education and Demonstrations: and they need to know that it's fairly easy to turn it on, you-betcha!

3. Trust-Anchors and DLV's we can trust:  this is the big missing piece... Joe the Administrator has to regularly update trust anchors and it better be painless.  (ok, no more political jokes...)

4. Diagnostics:  prove to Joe that it is really working and isn't doing bad things

These will be the subjects of multiple blog postings.  But let's start with a brief intro to #2: education.  Joe the Administrator needs a really simple recipe...something like the DNSSEC in 6 minutes tutorial -- only shorter and simpler to talk about just the validation side of DNSSEC.  (http://www.usenix.org/event/lisa08/dnssec_bof.pdf)

I think separating out the receiver side (validation) side from the transmitter side (zone signing) will make this a simple recipe that administrators can deal with.  But the recipe will be incomplete without setting up trust anchors.  Making that simple will be the subject of the next posting.