Re: [dnsext] A security concern regarding IPv6 support in name servers

Edward Lewis <Ed.Lewis@neustar.biz> Mon, 20 September 2010 14:31 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7C6413A6A98; Mon, 20 Sep 2010 07:31:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.13
X-Spam-Level:
X-Spam-Status: No, score=-100.13 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_40=-0.185, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ev+h9GQqQCiS; Mon, 20 Sep 2010 07:31:40 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E52503A6926; Mon, 20 Sep 2010 07:31:37 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1OxhLu-000Gox-8I for namedroppers-data0@psg.com; Mon, 20 Sep 2010 14:28:18 +0000
Received: from stora.ogud.com ([66.92.146.20]) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72 (FreeBSD)) (envelope-from <Ed.Lewis@neustar.biz>) id 1OxhLo-000GmJ-3l for namedroppers@ops.ietf.org; Mon, 20 Sep 2010 14:28:12 +0000
Received: from Work-Laptop-2.local (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id o8KES10c047832; Mon, 20 Sep 2010 10:28:02 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.200.147] by Work-Laptop-2.local (PGP Universal service); Mon, 20 Sep 2010 10:28:08 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Mon, 20 Sep 2010 10:28:08 -0400
Mime-Version: 1.0
Message-Id: <a06240802c8bd1f6cba5d@[10.31.200.147]>
In-Reply-To: <201009201355.PAA23347@TR-Sys.de>
References: <201009201355.PAA23347@TR-Sys.de>
Date: Mon, 20 Sep 2010 10:27:59 -0400
To: <namedroppers@ops.ietf.org>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: [dnsext] A security concern regarding IPv6 support in name servers
Cc: ed.lewis@neustar.biz
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

At 15:55 +0200 9/20/10, Alfred =?hp-roman8?B?SM5uZXM=?= wrote:

>The primary question is whether you (as a DNS server) can/should
>avoid actively contributing to the success of an attacker.

Whether you are driving (on the autobahn) a truckload of volatile 
explosive material or a van full of 8 year olds, you should do your 
best to avoid an accident.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Spouses, like Internet protocols, lack necessary troubleshooting tools. Sigh.