There is a great series of articles over at the matasano blog about the deficiencies of dnssec. While I have no deep knowledge of the matter, the series seems to bring up very valid points against this security feature (the most near to my heart being the CPU cost of cryptography - which is expensive even on modern hardware - which is good because it means that it's harder to break). Here are the links to the currently available articles (two more are to come):
- A Case Against DNSSEC (A Matasano Miniseries)
- A Case Against DNSSEC, Count 1: Solves A Non-Problem
- A Case Against DNSSEC, Count 2: Too Complicated To Deploy
What I want to write about today (or better yet, plea to the ISPs) are two things:
- Egress filtering - this means that router check the source IP of the packets which leave their perimeter and drop any packet which has an invalid source IP (meaning that it has an IP from a subnet not associated with that given interface). If all ISPs would perform this filtering IP spoofind would be greatly reduced (because it would be possible to spoof an other IP from the local subnet) and it would lead to better traceability (in case of a DDoS for example). Such filtering could (and may already be) deployed without any impact on legitimate applications. I can think of only two possible problems with it: routers needing additional configuration for each interface (but maybe there are intelligent routers which can perform egress filtering based on routing tables) and routers needing additional processing power for filtering.
- The filtering of the SMTP port on consumer networks (except for the SMTP server of the ISP). This would greatly reduce spam. There is no reason for the average consumer PC connecting to other SMTP servers than the one of the service provider. The only case when a user would need to do such a thing is when s/he has a mail account in a different place (for example at work or at an other service provider). These rare cases could be resolved very simply and without burdening the helpdesk too much by offering a web page (of course with printed description of it given to each user at connection time) - available only the customers of the ISP - which would permit to add one exception at a time for the rules involving the IP where the request came from (so that one customer can't add exceptions for other customers) and a specified host. The submission should be protected with a CAPTCHA.
It is my opinion that these two measures, if implemented by the wast majority (preferably all) IPSs, would greatly reduce the malicious activity on the Internet.