[Dnssec-trigger] Open Issues

Fri Jan 27 11:08:44 UTC 2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All,

Dnssec trigger (now at version 0.9) is an experiment to put DNSSEC on
your laptop.  It works, people are using it.  Most of the bugs seem to
have been worked out of the system.  The issues that remain are visual
and feature-completeness.  They center on user-friendliness (i.e. for
computer illiterate people), and on enterprise-site-configuration.

o Visual.  I have ignored these requests.  Kept the GUI minimal.  Icon
change requested for brighter colours: lighter blue, more visible red
pixels on the warning icon (everyones traybar has a different bg
colour I guess).  The configuration options would be along the lines
of: overrides for insecure access to .local (from the dhcp dns), stubs
for local-company-zones.

o Autoupdate feature.  On windows and OSX the update functionality is
atrocious, you have to implement yourself and there is no support.  On
Linux and in BSD ports, this is handled by distros.  Autoupdate would
work without user intervention (silent updates).  The real issue is
having a signing key for this, that is safe enough (with DANE on the
horizon, this component could become critical to the security of the
machine, the software install is basically remote-root access).

o Hotspot signon features.  See email on that topic.  About user
friendliness, having to use a menu item is only possible for geeks.

o Resolvers that can do tcp-dns-port80 and ssl-dns-port443 to be able
to handle a large user group.  Alternatively, we do not configure any
such fallbacks, users will get a warning and go to insecure mode.
Because this is the last fallback option, it should have a smaller
traffic requirement (than the 'OK' page from the hotspot discussion).

o there are some smaller todo items, such as facilitating ssl-key
rollover on the ssl resolvers.

o some people have expressed porting wishes, like app-store, ports to
iPhone, Android.  It is likely impossible because dnssec-trigger must
have root access (for setting the DNS IP).  Android is open source,
its base system could be contributed to.  Phone Oses do not give root
access to apps.  App-stores for PCs also have sandboxing, no root.

o perhaps there are other obstacles?

What features must the dnssec-trigger system contain?

o an anti-idea that cropped up a couple times is to provide
error-analysis of dnssec failures.  This is not possible, only you (a
geek) can understand the analysis anyway, and popups to workaround the
error turn into 'ignore security failure' nightmares that destroy
security.  Right now the system checks for security on wifi-connect.
After that, all dnssec failures are simply failures.  (diagnostic
tools are for the administrator, we could write errors to log, easy
enough to set unbound to write validation failures to system log, and
this is where systemadmins are used to looking for error desc).
Separate diagnostic tools, of course, exist, like dnsviz,
dnssec-tools.org.

o do we really need a go-insecure-connect-to-this-wifi button?  This
button turns off dnssec, you have your old-fashioned dnssec-less
experience.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPIoW8AAoJEJ9vHC1+BF+NFTQP/3CBQsTnxgK4yfnRHE9frgEH
Gy3KpWXV/Q8BrSeVWkApxfLA3GBpc73AvHSK0KiIEfmxG+vFE2KS8Dvvd2nak/YR
0oaxdoj2znw1YuEwQy41ujMGwtr0MA+nVekbcTrgC+slOcGFI7bUkWPme2GjzWC6
y3XbDphawRc7fUI2ShhAz7qOVttJfV9A2WSwVvHlhVp8mrLtLCP/Bbm2i2a85CkJ
iLQepTFs8S/EPOMMUUL+rPJzl8n4AnFo7E5nJSoxLjHgEgWEH7xvbo8Rmjayn5T/
gR/OaghWSOHwUaETMeUPFAtXgS1OncbpINYmWWuqhht92SjZ9tTWo41KgpRAzRSr
Bf2NSXvhhGhaBVkBP+m9ySdjpbaajjWsZbGW0zzcE+jMu0Kbow0V2/L2uSqqP7IW
BvIcxhk/1kZ0F75j/BddhBdgWExbqJPRAB7pJc0dVVNynZsEs+7Qut1ASlihToa+
2I9g/q/JUpOZuDDMUvHbIFSTSCjCtW46iqil2lujQiorRbrD/HK0o3q+3rVxTz5B
xDz9I5Il1CfcM59+4WIYZyfHOW4Nvvgc1s71QBemh+yGj3xPLOlEadqgP+iU16k4
B5iYV7DDIZGSmGoQZ0D5EaRc6fanD1ZZUJ5tJ8O0MxM32wcRlXy+uvvmUO65kP1W
0gNZ+DGDOTdb3zFxUusQ
=0rtq
-----END PGP SIGNATURE-----