IETF Logo Mail Archive

Re: OFFTOPIC: DNSSEC groupthink versus improving DNS

Alex Bligh <alex@alex.org.uk> Fri, 08 August 2008 07:56 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E7B03A6975; Fri, 8 Aug 2008 00:56:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k5zGlKuwvLhl; Fri, 8 Aug 2008 00:56:05 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 5F9A23A693E; Fri, 8 Aug 2008 00:56:05 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KRMld-000PuI-D8 for namedroppers-data@psg.com; Fri, 08 Aug 2008 07:52:09 +0000
Received: from [217.147.82.63] (helo=mail.avalus.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <alex@alex.org.uk>) id 1KRMlQ-000Psc-Mu for namedroppers@ops.ietf.org; Fri, 08 Aug 2008 07:51:59 +0000
Received: from [192.168.100.28] (localhost [127.0.0.1]) by mail.avalus.com (Postfix) with ESMTP id 1CB4CC2DA3; Fri, 8 Aug 2008 08:51:49 +0100 (BST)
Date: Fri, 08 Aug 2008 08:55:18 +0100
From: Alex Bligh <alex@alex.org.uk>
Reply-To: Alex Bligh <alex@alex.org.uk>
To: Duane at e164 dot org <duane@e164.org>, Ralf Weber <denic@eng.colt.net>
cc: bert hubert <bert.hubert@netherlabs.nl>, Namedroppers <namedroppers@ops.ietf.org>, Alex Bligh <alex@alex.org.uk>
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
Message-ID: <09B9BDC1BA78A4C82CC20893@nimrod.local>
In-Reply-To: <489BF4C8.9000309@e164.org>
References: <489AD5E3.20708@nlnetlabs.nl> <20080807134236.GA19024@outpost.ds9a.nl> <E3BF6308-12F6-4269-B949-2853E5E8F607@eng.colt.net> <489BF4C8.9000309@e164.org>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>


--On 8 August 2008 17:24:56 +1000 Duane at e164 dot org <duane@e164.org> 
wrote:

>> Is there a technology that can prove that the answer I am getting from
>> my DNS resolver is correct?
>
> Don't use someone else's resolver for starters, then reduce the TTL to
> almost nothing and the chance of being effected is greatly reduced, of
> course DNSSEC won't solve this problem without critical mass either so
> even if you deploy or utilise DNSSEC you could still be effected by
> cache poisoning.

That just goes to prove Ralf's point.
a) DNSSEC may be an ugly pig, but it's the only technology available today
   that PROVES the answer is correct (rather than 'greatly reduces' the
   chance of it being wrong)
b) Like most security measures, both sides need to be using it. It does
   little in practice at the moment because it isn't deployed (no critical
   mass, as you put it). This is not an argument not to deploy it
   ("my gun does not work because it is not loaded, therefore do not load
   it because it does not work"); if anything, it's the opposite.

Alex

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email