## page was renamed from DNS/DNSSEC/good-bad
## page was renamed from DNS/DNSSEC/slide
== DNS/DNSSEC/good-bad ==
  http://xs.powerdns.com/presentation-hitb/    http://xs.powerdns.com/presentation-hitb/dnssec-good-very-bad.pdf

DNSSEC protects against
 * ”Spoofing attacks”
   Large amounts of spoofed packets with 'improved answers' try to get accepted as the real thing

 * Unreliable secondaries/slaves
   Your slave/secondary might fiddle with your data

 * Unreliable governments and service providers
   Might inject advertisements or redirect your vital facebook updates

第二の点、セカンダリサーバが信用できない時に改善できる可能性はありそう。

-----
DNSSEC: How compelling?
  The threats on the previous page are not immediate

 * Post RFC5452 spoofing attacks are very hard,
 * you can pick your secondaries with care, and
 * governments don't need DNS to get your packets.

== 他の理由 ==
脅迫的な理由は省略(客が求めるから、など）

  great excuse to clean up your DNS!

こうくるか。　順序が逆じゃないか。
{{{
  DNS設定がきちんとしていないとDNSSECは使えません。
}}}

DNSSECに対応するだけでなく、DNSをきちんと設定できない業者は生き残れないというのは正しそう。
　そうなって欲しいものです。 -- ToshinoriMaeno <<DateTime(2011-06-11T12:33:24+0900)>>

== slide page 24 ==
On the delegation issue
 * Each name in DNSSEC has exactly ONE signature(set)
    So if ns1.fox-it.com is part of the .com zone,
    AND part of the fox-it.com zone, it will only
    be signed in the fox-it.com zone
And not in com!
 *  So how do we perform a secure delegation?
    WE DON'T!

So if your zone is not signed, but .com is, you don't benefit at all

== slide 25 ==
If your zone IS signed, verification only really happens at the very end
   The delegating answer from COM is not verified

== slide 26 ==
DNSSEC technique: denial of service
 *  Since delegating answers, for example from .com, are not themselves DNSSEC secured, 
     they can be modified at will  For example, to point at 127.0.0.1

 *  Since DNSSEC verification only happens at the end
       Or in this case, not at all
This means that DNSSEC does nothing to protect the interim resolution steps

== slide 31 ==
Current DNSSEC deployments are secure up to the ISPs resolver
  ”Last mile” is unsecured!

==  slide 32 ==
End-to-End DNSSEC
 * Wow! So why are people pushing providers to ”do” DNSSEC?
    No idea
 * Solution right now is for everyone to run a validating resolver (would kill the internet)

Better solutions mean that the ISP resolver ships all the signing proof to the stub resolver
in the client PC (nice)
 * Stub resolvers are limited though.. 
 * browsers themselves might do the validation though!

== xxx ==
Downgrade attacks area big worry, it is very tricky to encode if a domain has DNSSEC enabled

Unsure how to deal with 'degrading' a broken protocol

== Summary ==
そこにある。使える。でも、不良も多い。問題も多い。 ...