Re: [dnsext] A security concern regarding IPv6 support in name servers

Nicholas Weaver <nweaver@icsi.berkeley.edu> Mon, 20 September 2010 14:54 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DEBC73A6A41; Mon, 20 Sep 2010 07:54:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.168
X-Spam-Level:
X-Spam-Status: No, score=-2.168 tagged_above=-999 required=5 tests=[AWL=0.431, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ObvlvHhW8HrR; Mon, 20 Sep 2010 07:54:10 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 337023A69B4; Mon, 20 Sep 2010 07:54:10 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1OxhhK-000JT5-EM for namedroppers-data0@psg.com; Mon, 20 Sep 2010 14:50:26 +0000
Received: from taffy.icsi.berkeley.edu ([192.150.187.26]) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <nweaver@icsi.berkeley.edu>) id 1OxhhH-000JSR-LP for namedroppers@ops.ietf.org; Mon, 20 Sep 2010 14:50:23 +0000
Received: from gala.icsi.berkeley.edu (gala.ICSI.Berkeley.EDU [192.150.186.168]) by taffy.ICSI.Berkeley.EDU (Postfix) with ESMTP id ED7F73137D2; Mon, 20 Sep 2010 07:50:22 -0700 (PDT)
References: <201009201355.PAA23347@TR-Sys.de> <a06240802c8bd1f6cba5d@[10.31.200.147]>
In-Reply-To: <a06240802c8bd1f6cba5d@[10.31.200.147]>
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset=us-ascii
Message-Id: <A36208EC-FE1B-4BD1-A50E-9CA3688CB6FC@icsi.berkeley.edu>
Content-Transfer-Encoding: quoted-printable
Cc: Nicholas Weaver <nweaver@icsi.berkeley.edu>, <namedroppers@ops.ietf.org>
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
Subject: Re: [dnsext] A security concern regarding IPv6 support in name servers
Date: Mon, 20 Sep 2010 07:50:22 -0700
To: Edward Lewis <Ed.Lewis@neustar.biz>
X-Mailer: Apple Mail (2.1081)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

On Sep 20, 2010, at 7:27 AM, Edward Lewis wrote:

> At 15:55 +0200 9/20/10, Alfred =?hp-roman8?B?SM5uZXM=?= wrote:
> 
>> The primary question is whether you (as a DNS server) can/should
>> avoid actively contributing to the success of an attacker.
> 
> Whether you are driving (on the autobahn) a truckload of volatile explosive material or a van full of 8 year olds, you should do your best to avoid an accident.

When you are dealing with a house with no front door and no real ability to build a front door, do you worry about the integrity of the bathroom skylight?