[Ach] DNSSEC [was: Re: filippo on SSL SMTP encryption]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Mar 31 22:42:22 CEST 2015

On Tue 2015-03-31 15:59:00 -0400, Thomas Preissler wrote:

> but everything is building on DNS right now and everything is expecting
> (from a DNS point of view) either a response or NXDOMAIN, nothing else.
> With DNSSEC there will be a third state, as 'not trusted'. And you have
> to deny further communication then, or DNSSEC would be pointless.

What you're describing here and in the rest of your message (i think) is
the lack of ability for a zone or a host to signal to clients "please
hard-fail if you can't validate via mechanism X".  Some people call this
"latching" or "locking" into a validation scheme.

This is easier to build into new protocols than to retrofit for existing
protocols, without turning your validation mechanism into "something
that causes otherwise operational stuff to break", but it can actually
be done for both.

The way through this impasse is twofold (and a lot of
tedious-but-necessary work):

 0) when designing new protocols, make sure that you have corroborative
    validation mechanisms required from the start

 1) work piece-by-piece on existing protocols to help them transition to
    solid validation mechanisms *and* find ways to help them lock in
    these changes on a host-by-host or zone-by-zone basis.

SMTP is a great example of case 1, with the exception that the bulk of
the work has been done by too few people.  Viktor Dukhovni has
championed the work thus far, and should be supported in seeing how far
he can drive it.  We also need to put pressure on existing SMTP
deployments to make sure they take advantage of work Viktor and a few
others have done.


More information about the Ach mailing list