Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
Paul Vixie <vixie@isc.org> Fri, 08 August 2008 01:59 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E01233A6C81; Thu, 7 Aug 2008 18:59:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q15wFH5dBlKr; Thu, 7 Aug 2008 18:59:44 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id DDF383A6C7F; Thu, 7 Aug 2008 18:59:43 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KRH8V-000E62-AA for namedroppers-data@psg.com; Fri, 08 Aug 2008 01:51:23 +0000
Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <vixie@vix.com>) id 1KRH8N-000E5I-2c for namedroppers@ops.ietf.org; Fri, 08 Aug 2008 01:51:20 +0000
Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 599CCA66B8; Fri, 8 Aug 2008 01:51:01 +0000 (UTC) (envelope-from vixie@nsa.vix.com)
From: Paul Vixie <vixie@isc.org>
To: Duane <duane@e164.org>
cc: Olaf Kolkman <olaf@NLnetLabs.nl>, bert hubert <bert.hubert@netherlabs.nl>, Namedroppers <namedroppers@ops.ietf.org>
In-Reply-To: Your message of "Fri, 08 Aug 2008 11:03:04 +1000." <489B9B48.4090605@e164.org>
References: <489AD5E3.20708@nlnetlabs.nl> <20080807134236.GA19024@outpost.ds9a.nl> <F153E1C5-6E05-475A-897D-471398D161C9@NLnetLabs.nl> <489B9B48.4090605@e164.org>
X-Mailer: MH-E 8.0.3; nil; GNU Emacs 22.2.1
Date: Fri, 08 Aug 2008 01:51:01 +0000
Message-ID: <28119.1218160261@nsa.vix.com>
MIME-Version: 1.0
X-Vix-MailScanner-Information: Please contact the ISP for more information
X-MailScanner-ID: 599CCA66B8.C466A
X-Vix-MailScanner: Found to be clean
X-Vix-MailScanner-From: vixie@vix.com
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
> From: Duane <duane@e164.org> > > You summed it up so nicely, they have put so much time and effort into > this that they can't see if there are other options because they are > blinded by the blinkers they have on, to go forward no matter what the > cost or no matter what other solutions could solve the same problem. as a possible proposed "they" in that example, i wonder what other option will allow arbitrary end users to be sure that an NXDOMAIN has not been remapped by their ISP or by their RDNS? or that a secondary name service provider (or a primary name service provider for that matter) hasn't added a wildcard to catch typo's in their customer domains and send them to an advertising server? in other words, what other options provide end-to-end data integrity for DNS? if all you've got is hop-by-hop, i'm uninterested. amit klein and dan kaminsky have showed us some off-path attacks, to which dan bernstein and amit klein and david dagon have shown us some RDNS-only defenses. but provider-in-the-middle and more generally man-in-the-middle attacks are on-path not off-path. i want protection against on-path attacks, as well as against all possible future off-path attacks. you're right that i'm dismissing proposals that do not address those requirements. now you know exactly why. > > How would such person defend against being assessed to suffer from > > groupthink or tunnelvission? > > All I've heard lately is shouts of enable DNSSEC now, or die, frankly > I'm not very moved by them nor anyone else I know, it's 2008 and DNSSEC > is using a model even X.509 threw out years ago and has been trying to > fix every since. after watching masataka's superior approach get railroaded into a ditch back in 1996 or 1997 or so, i can no longer get bogged down in how ugly the protocol is or how ugly was the process that begat that protocol. my pragmatic concerns are only, is it end-to-end, and can it be made to work? show me an option that's end-to-end and can be made to work and i'll pay close attention and if it's real i'll say "dnssec or this other thing are the only real solutions." but show me a hop-by-hop solution and i'll say "this isn't complete" and if it requires a replacement or upgrade of both RDNS and ADNS nodes then i'll say "at that price i'd prefer end-to-end data integrity, please." let's stop talking personalities and focus on the engineering economics. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: Additional filtering of responses Tony Finch
- Additional filtering of responses Wouter Wijngaards
- OFFTOPIC: DNSSEC groupthink versus improving DNS bert hubert
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: Additional filtering of responses Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- RE: OFFTOPIC: DNSSEC groupthink versus improving … Jesper G. Høy
- Re: Additional filtering of responses Roy Arends
- Re: Additional filtering of responses Paul Vixie
- Forgery resilience idea - wildcard cooperative de… Brian Dickson
- Re: Forgery resilience idea - wildcard cooperativ… Paul Vixie
- Re: Additional filtering of responses Roy Arends
- Re: Forgery resilience idea - wildcard cooperativ… bert hubert
- Re: Forgery resilience idea - wildcard cooperativ… Brian Dickson
- Re: Additional filtering of responses Edward Lewis
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Olaf Kolkman
- Re: Additional filtering of responses Tony Finch
- Re: OFFTOPIC: DNSSEC groupthink versus improving … David Conrad
- Re: OFFTOPIC: DNSSEC groupthink versus improving … bert hubert
- Re: Additional filtering of responses Edward Lewis
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Federico Lucifredi
- Re: Additional filtering of responses Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: Additional filtering of responses Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Brian Dickson
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Brian Dickson
- Re: Additional filtering of responses Masataka Ohta
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: Additional filtering of responses Masataka Ohta
- Re: Additional filtering of responses Roy Arends
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ralf Weber
- Re: Additional filtering of responses Masataka Ohta
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: Additional filtering of responses Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ralf Weber
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Alex Bligh
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … sthaug
- Re: OFFTOPIC: DNSSEC groupthink versus improving … bert hubert
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: Additional filtering of responses Peter Koch
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Please stop this thread (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Otmar Lendl
- Re: Please stop this thread (was: OFFTOPIC: DNSSE… Matt Larson
- Re: Please stop this thread (was: OFFTOPIC: DNSSE… David Conrad
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ben Laurie
- how many angels can dance on the head of a pin? bmanning
- Re: how many angels can dance on the head of a pi… Duane at e164 dot org
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Florian Weimer
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… sthaug
- Re: how many angels can dance on the head of a pi… Ben Laurie
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Ben Laurie
- Re: how many angels can dance on the head of a pi… Paul Vixie
- Re: how many angels can dance on the head of a pi… Paul Hoffman
- Re: how many angels can dance on the head of a pi… bmanning
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Havard Eidnes
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- DNSSEC on autopilot (was: OFFTOPIC: DNSSEC groupt… Otmar Lendl
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Otmar Lendl
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Mark Andrews
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan