IETF Logo Mail Archive

Re: OFFTOPIC: DNSSEC groupthink versus improving DNS

sthaug@nethelp.no Fri, 08 August 2008 08:56 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6CBFD3A6CBB; Fri, 8 Aug 2008 01:56:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.048
X-Spam-Level:
X-Spam-Status: No, score=-1.048 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ovW4bOngvhMc; Fri, 8 Aug 2008 01:56:21 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 941553A6CAA; Fri, 8 Aug 2008 01:56:21 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KRNff-0007A6-90 for namedroppers-data@psg.com; Fri, 08 Aug 2008 08:50:03 +0000
Received: from [195.1.209.33] (helo=bizet.nethelp.no) by psg.com with smtp (Exim 4.69 (FreeBSD)) (envelope-from <sthaug@nethelp.no>) id 1KRNfb-000790-4i for namedroppers@ops.ietf.org; Fri, 08 Aug 2008 08:50:01 +0000
Received: (qmail 52843 invoked from network); 8 Aug 2008 08:49:57 -0000
Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33) by bizet.nethelp.no with SMTP; 8 Aug 2008 08:49:57 -0000
Date: Fri, 08 Aug 2008 10:49:57 +0200
Message-Id: <20080808.104957.74720707.sthaug@nethelp.no>
To: duane@e164.org
Cc: denic@eng.colt.net, bert.hubert@netherlabs.nl, namedroppers@ops.ietf.org
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
From: sthaug@nethelp.no
In-Reply-To: <489C0370.4080502@e164.org>
References: <489BF4C8.9000309@e164.org> <B786FB32-89AB-412E-A502-1CEB9A404041@eng.colt.net> <489C0370.4080502@e164.org>
X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

> > Well this might happen more often now when the hackers do code that
> > utilises Dan Kaminskys findings. And it just need to happen to the
> > "right" people, as we see with IPv6 now that which is at least getting
> > some traction after governments endorsed it.
> 
> Either that or they all migrated to recursors that weren't affected and
> so that would mitigate any migration to DNSSEC.

Your "recursors that weren't affected" don't exist. Using more entropy
(by using query ID randomization, port randomzation etc) reduces the
probability of spoofing - but as has been pointed out many times here,
this is not a *solution*. It mitigates the problem, it doesn't solve
it.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email