IETF Logo Mail Archive

Re: Forgery resilience idea - wildcard cooperative defense

bert hubert <bert.hubert@netherlabs.nl> Thu, 07 August 2008 17:42 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4CCE73A6B3C; Thu, 7 Aug 2008 10:42:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.258
X-Spam-Level: *
X-Spam-Status: No, score=1.258 tagged_above=-999 required=5 tests=[AWL=1.762, BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id brp3vN93w6kY; Thu, 7 Aug 2008 10:42:00 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4D4393A6AE6; Thu, 7 Aug 2008 10:42:00 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KR9RD-000HXa-JA for namedroppers-data@psg.com; Thu, 07 Aug 2008 17:38:11 +0000
Received: from [2001:888:10:36::2] (helo=adsl-xs4all.ds9a.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <ahu@outpost.ds9a.nl>) id 1KR9R9-000HWa-Bv for namedroppers@ops.ietf.org; Thu, 07 Aug 2008 17:38:09 +0000
Received: from outpost.ds9a.nl ([85.17.220.215] ident=postfix) by adsl-xs4all.ds9a.nl with esmtp (Exim 4.63) (envelope-from <ahu@outpost.ds9a.nl>) id 1KR9R7-0000ea-6n for namedroppers@ops.ietf.org; Thu, 07 Aug 2008 19:38:05 +0200
Received: by outpost.ds9a.nl (Postfix, from userid 1000) id 48CED3F6C; Thu, 7 Aug 2008 19:38:19 +0200 (CEST)
Date: Thu, 07 Aug 2008 19:38:19 +0200
From: bert hubert <bert.hubert@netherlabs.nl>
To: Paul Vixie <vixie@isc.org>
Cc: Brian Dickson <briand@ca.afilias.info>, Wouter Wijngaards <wouter@NLnetLabs.nl>, Namedroppers <namedroppers@ops.ietf.org>, dns-operations@lists.oarci.net
Subject: Re: Forgery resilience idea - wildcard cooperative defense
Message-ID: <20080807173819.GA25195@outpost.ds9a.nl>
Mail-Followup-To: bert hubert <bert.hubert@netherlabs.nl>, Paul Vixie <vixie@isc.org>, Brian Dickson <briand@ca.afilias.info>, Wouter Wijngaards <wouter@NLnetLabs.nl>, Namedroppers <namedroppers@ops.ietf.org>, dns-operations@lists.oarci.net
References: <489AD5E3.20708@nlnetlabs.nl> <45759.1218122552@nsa.vix.com> <489B295C.3020002@ca.afilias.info> <59360.1218129508@nsa.vix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <59360.1218129508@nsa.vix.com>
User-Agent: Mutt/1.5.9i
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

On Thu, Aug 07, 2008 at 05:18:28PM +0000, Paul Vixie wrote:
> any solution requiring cooperative action/change by both the RDNS and ADNS
> has a cost that's equivilent to "deploy DNSSEC".  the thing that's good

That's simply not true - DNSSEC does not function automatically even if both
ADNS and RDNS support it. 

DNSSEC needs a change to:
	ADNS,
	RDNS, 
	the zone, 
	the registry, 
	the registrar,
	and even the operational procedures of domain owner.
	(the stub, the application - if you want to give the end-user a
	choice)

EDNS PING or other entropy enhancing solutions provide benefit to anybody
deploying them, without further work, and require only ADNS and RDNS work.

DNSSEC provides lots of other things beyond entropy of course. 

	Bert

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email