IETF Logo Mail Archive

Re: [DNSOP] DNSSEC in local networks

"Walter H." <Walter.H@mathemainzel.info> Mon, 04 September 2017 15:22 UTC

Return-Path: <Walter.H@mathemainzel.info>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7604F129C41 for <dnsop@ietfa.amsl.com>; Mon, 4 Sep 2017 08:22:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mathemainzel.info
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id md7TRmKhDZSs for <dnsop@ietfa.amsl.com>; Mon, 4 Sep 2017 08:21:59 -0700 (PDT)
Received: from mx17lb.world4you.com (mx17lb.world4you.com [81.19.149.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3B1313219F for <dnsop@ietf.org>; Mon, 4 Sep 2017 08:21:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mathemainzel.info; s=dkim11; h=Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=ILwDvGoOnHPnA6ZZ0mVP6zaLVja/JIUn76OCS5xamwg=; b=hwpTVHspOgl2KLXgfZ/Ce41hkeDNhht7/tEX2cDBmktw0q32Ei9ey0FsSF0kWPZVOn5LLMr3Tur+EZziDTi9Rtzal23Qczn7NIycx8L5DlcQPNDP9QaZGi860s0Sw7IhIYe5+YfeOjmXVb1UUMEBpih9Xsr/0ypZDMDcx1wzAus=;
Received: from [90.146.55.206] (helo=home.mail) by mx17lb.world4you.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <Walter.H@mathemainzel.info>) id 1dotCF-0000X2-PB; Mon, 04 Sep 2017 17:21:55 +0200
Message-ID: <59AD6F92.9070108@mathemainzel.info>
Date: Mon, 04 Sep 2017 17:21:54 +0200
From: "Walter H." <Walter.H@mathemainzel.info>
Organization: Home
User-Agent: Mozilla/5.0 (UNIX; U; Cray X-MP/48; en-US; rv:2.70) Gecko/20110929 Communicator/7.20
MIME-Version: 1.0
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
CC: dnsop WG <dnsop@ietf.org>
References: <150428805872.6417.9525310755360551475@ietfa.amsl.com> <59A9B760.2060209@mathemainzel.info> <alpine.DEB.2.11.1709012044210.2676@grey.csi.cam.ac.uk> <59A9BCA2.6060008@mathemainzel.info> <20170903043202.GA18082@besserwisser.org> <59AC4E42.9080600@mathemainzel.info> <60304450-DFA3-4982-B01D-CC33C49BDCFC@isc.org> <59f8c88caaf82a5884aa87223d49e7e4.1504505559@squirrel.mail> <3B75D240-13B9-4A94-B56D-24E83B4A4A8F@rfc1035.com> <3fe7bc511a990b0288b645dc176e1ef3.1504515284@squirrel.mail> <20170904150151.h7v3da7s3jp4yhec@nic.fr>
In-Reply-To: <20170904150151.h7v3da7s3jp4yhec@nic.fr>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms070509090904080708040901"
X-SA-Do-Not-Run: Yes
X-AV-Do-Run: Yes
X-SA-Exim-Connect-IP: 90.146.55.206
X-SA-Exim-Mail-From: Walter.H@mathemainzel.info
X-SA-Exim-Scanned: No (on mx17lb.world4you.com); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2BKkPBPegWR6WAevf30_tNuqoOk>
Subject: Re: [DNSOP] DNSSEC in local networks
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Sep 2017 15:22:02 -0000

On 04.09.2017 17:01, Stephane Bortzmeyer wrote:
> On Mon, Sep 04, 2017 at 10:54:44AM +0200,
>   Walter H.<walter.h@mathemainzel.info>  wrote
>   a message of 25 lines which said:
>
>> I'd say: "either you trust the local net or not";
> ..., but I think it is a
> mistake.
not really, when  there is a security problem, DNS is the less one ...
and I didn't say, that a locally running resolver would not be allowed 
to validate DNSSEC;
but there needn't be a DNSSEC signed local only zone, as the signature 
and zone content comes from the same host;
you can of course validate your own local only zone, nobody prevents you 
from doing so, but it is somewhat strange;
and the fact that a change of the zone doesn't need to be resigned 
raises problems to;

  Many local networks are vulnerable to packets with an
internal address coming from the outside, routing attacks diverting
traffic outside, etc. Not to mention the internal attacks, for
instance by a MS-Windows zombie.

even this is true, DNSSEC for the local zones doesn't make it any better;
as I said, when there is a security problem DNS is the less one ...

> It seems to me that having TLS, DNSSEC and SSH and so on even in the
> local net is Best Practice.
yes and no; when operating a local  mail server that uses TLS for IMAP, 
SMTP, then
a Anti-virus has to break TLS in order to scan before it gets to the 
client ...

v2.14.0 | Report a Bug | By Email