The article on potential issues to come with the DNSSEC rollout caught our eye and merited some comment.

The article mainly cites the concerns OpenDNS has and outlines the following reasons why DNSSEC might not be a good thing.

DNSSEC makes it all but impossible to perform any sort of MITM. OpenDNS provides filtering services, can redirect typo, and provide white/black lists based their clients’ needs. This works by using OpenDNS servers as the recursive server to look up any address. Essentially a MITM scenario.

DNSSEC will not break OpenDNS’s current model because currently all clients trust their recursive server. If Windows, OSX, others ever do stop trusting their direct uplink, and default to performing DNSSEC verifications themselves, I’m sure there will be the option to disable it. This will be easy in large organizations to manage, and once the option is available, OpenDNS will update their steps to include turning off the verification.

DNS zones that give different results depending on the querying client. Examples of services that could be affected are ones such as CDN services and the NTP project. OpenDNS thinks that the high volume will make signing each response difficult.

However the signatures can be precomputed. DNSSEC adds a Signature Expiration response, so there is the normal TTL, saying that the response can be cached for 20 seconds in the case of some Akamai, the signature can be precomputed and valid for days, and up to 68 years. This is valid in the case of most CDN services, e.g. Akamai, as CDN providers control the servers at each ip address.

The NTP Pool Project most likely won’t have a problem. As of 2010 August 9th, it has over 2000 different time servers available, and consists of servers being volunteered. A rouge entity could join the project, and spoof erroneous results. However, if this was a targeted attack, then they would send proper NTP packets to all hosts, except the ones they were targeting. They would continue to exist in the pool, and have valid signatures. The NTP Pool Project is inherently trusting, and DNSSEC would not ensure that you were getting the correct time.

Those are our thoughts. We’d love to hear feedback from you via Twitter or the IAM + DevOps Group on LinkedIn.