IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

bert hubert <bert.hubert@netherlabs.nl> Thu, 24 July 2008 06:22 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 032653A68D9; Wed, 23 Jul 2008 23:22:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.85
X-Spam-Level:
X-Spam-Status: No, score=-0.85 tagged_above=-999 required=5 tests=[AWL=-0.346, BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bwgnJZULL+Zo; Wed, 23 Jul 2008 23:22:02 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 184483A68B7; Wed, 23 Jul 2008 23:22:02 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KLtzI-000Or3-Rc for namedroppers-data@psg.com; Thu, 24 Jul 2008 06:07:40 +0000
Received: from [2001:888:10:36::2] (helo=adsl-xs4all.ds9a.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <ahu@outpost.ds9a.nl>) id 1KLtzD-000OqW-IL for namedroppers@ops.ietf.org; Thu, 24 Jul 2008 06:07:38 +0000
Received: from outpost.ds9a.nl ([85.17.220.215] ident=postfix) by adsl-xs4all.ds9a.nl with esmtp (Exim 4.63) (envelope-from <ahu@outpost.ds9a.nl>) id 1KLtz8-0001a0-7e for namedroppers@ops.ietf.org; Thu, 24 Jul 2008 08:07:30 +0200
Received: by outpost.ds9a.nl (Postfix, from userid 1000) id 8AF304B44E; Thu, 24 Jul 2008 08:07:44 +0200 (CEST)
Date: Thu, 24 Jul 2008 08:07:44 +0200
From: bert hubert <bert.hubert@netherlabs.nl>
To: David Conrad <drc@virtualized.org>
Cc: DNSEXT WG <namedroppers@ops.ietf.org>
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Message-ID: <20080724060743.GA7420@outpost.ds9a.nl>
References: <48875934.8080101@links.org> <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org> <20080723183227.GA11957@outpost.ds9a.nl> <2FFE6519-7E9C-4DE8-AF69-697A4D875011@nominum.com> <20080723191636.GB32507@outpost.ds9a.nl> <8A91CF57-0CBD-4CF2-BF59-C7D59CB4B7B9@virtualized.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <8A91CF57-0CBD-4CF2-BF59-C7D59CB4B7B9@virtualized.org>
User-Agent: Mutt/1.5.9i
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

On Wed, Jul 23, 2008 at 02:14:10PM -0700, David Conrad wrote:
> You are constraining the problem so the solution you prefer fits.  The  

No, it goes beyond that. I've constrained the problem to protecting DNS
against people that do not have the ability to intercept and modify your
packets.

This is not an arbitrary restriction. People that CAN modify your
packets in transit are a wholly different problem - they don't even need to
bother with DNS to mess with your traffic. They can do so directly. Not even
DNSSEC will stop them!

And this defines the natural bounding box for how secure DNS MUST be, and
with it a limit on the burden of securing it.

	Bert

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email