IETF Logo Mail Archive

Re: I-D ACTION:draft-ietf-dnsext-forgery-resilience-01.txt

bert hubert <bert.hubert@netherlabs.nl> Mon, 13 August 2007 11:43 UTC

Return-path: <owner-namedroppers@ops.ietf.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IKYKQ-0006N2-7u; Mon, 13 Aug 2007 07:43:22 -0400
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IKYKP-0002Mz-0L; Mon, 13 Aug 2007 07:43:22 -0400
Received: from majordom by psg.com with local (Exim 4.67 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1IKYEA-00045k-1S for namedroppers-data@psg.com; Mon, 13 Aug 2007 11:36:54 +0000
X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00, HELO_DYNAMIC_DHCP,RDNS_NONE autolearn=no version=3.2.1
Received: from [82.93.240.211] (helo=adsl-xs4all.ds9a.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.67 (FreeBSD)) (envelope-from <ahu@outpost.ds9a.nl>) id 1IKYDy-00044S-Mt for namedroppers@ops.ietf.org; Mon, 13 Aug 2007 11:36:48 +0000
Received: from outpost.ds9a.nl ([213.244.168.210] ident=postfix) by adsl-xs4all.ds9a.nl with esmtp (Exim 4.63) (envelope-from <ahu@outpost.ds9a.nl>) id 1IKXky-0003Gr-7V for namedroppers@ops.ietf.org; Mon, 13 Aug 2007 13:06:44 +0200
Received: by outpost.ds9a.nl (Postfix, from userid 1000) id E6B494038; Mon, 13 Aug 2007 13:06:43 +0200 (CEST)
Date: Mon, 13 Aug 2007 13:06:43 +0200
From: bert hubert <bert.hubert@netherlabs.nl>
To: Shane Kerr <Shane_Kerr@isc.org>
Cc: namedroppers@ops.ietf.org
Subject: Re: I-D ACTION:draft-ietf-dnsext-forgery-resilience-01.txt
Message-ID: <20070813110643.GB24229@outpost.ds9a.nl>
References: <E1IIPpu-0003yG-Ss@stiedprstage1.ietf.org> <46C03070.7020604@isc.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <46C03070.7020604@isc.org>
User-Agent: Mutt/1.5.9i
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-id: DNSEXT discussion <namedroppers.ops.ietf.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cab78e1e39c4b328567edb48482b6a69

On Mon, Aug 13, 2007 at 12:20:32PM +0200, Shane Kerr wrote:

> Regarding the "Countermeasures" section:
> 
>    Implementations SHOULD NOT use UDP source ports <1024 for sending
>    queries
> 
> Why? I mean, firewalls often block these, but any special reason other than that?

No, I think Peter Koch suggested it for this reason. No other special
reason, we just wanted to include the things suggested over at IETF 68.

>    Implementations MUST use an as large as possible pool of UDP source
>    ports for sending queries
> 
> Perhaps SHOULD? Because this basically means that implementations have to use
> 1024 to 65535 doesn't it?

This is basically a knob you can turn. If you turn it to '1 source port',
you get the current situation as with BIND and Nominum CNS, Windows DNS etc.
If you turn it to 64511 you get DJBDNS or PowerDNS, and the highest
possible protection against spoofing.

Paul has an implementation that has the knob set to 16.

Our feelings are that the draft should strongly state that all available
ports should be used, but we also understand not every OS and platform can
meet this requirement.

Hence 'as large as *possible*'. So you can get out of it if your platform
does not support it.

It is expected that this 'MUST' or 'SHOULD' will be something that needs
further discussion here.

	Bert

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.46.0 | Report a Bug | By Email | System Status