Re: [dnsext] Support for EDSN0 PING
Paul Vixie <vixie@isc.org> Fri, 15 May 2009 14:41 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E57613A70E8; Fri, 15 May 2009 07:41:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.317
X-Spam-Level:
X-Spam-Status: No, score=-2.317 tagged_above=-999 required=5 tests=[AWL=0.282, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L9RlP53MLrcJ; Fri, 15 May 2009 07:41:48 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D8C483A70ED; Fri, 15 May 2009 07:41:36 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1M4yYf-000Hub-Mq for namedroppers-data0@psg.com; Fri, 15 May 2009 14:38:45 +0000
Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <vixie@vix.com>) id 1M4yYN-000Ht6-OD for namedroppers@ops.ietf.org; Fri, 15 May 2009 14:38:38 +0000
Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 55CE0A20FA; Fri, 15 May 2009 14:38:22 +0000 (UTC) (envelope-from vixie@nsa.vix.com)
From: Paul Vixie <vixie@isc.org>
To: Bart Smit <bit@pipe.nl>
cc: namedroppers@ops.ietf.org
Subject: Re: [dnsext] Support for EDSN0 PING
In-Reply-To: Your message of "Fri, 15 May 2009 12:16:57 +0200." <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl>
References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl>
X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1
Date: Fri, 15 May 2009 14:38:22 +0000
Message-ID: <19043.1242398302@nsa.vix.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
> Date: Fri, 15 May 2009 12:16:57 +0200 (CEST) > From: "Bart Smit" <bit@pipe.nl> > > As a relative outsider, but with experience in DNS operations and > security, I've been following the discussions in this wg since around > 2005 and I wonder why the renewed interest in forgery resilience work in > the wake of Kaminsky has subsided so fast. I really had expected that > last year's experience of having to rush out a solution would serve as a > sort of reality check to parties involved, but this effect is markedly > absent. In fact, I now even sense the opposite. A prominent wg member > recently suggested that all such (non-dnssec) work should be swept into > the rubbish bin. I find this incomprehensible and somewhat disturbing. since i mentioned a rubbish bin recently but the above is not a fair summary let me say that TKEY-DH plus TSIG is an existing (already specified but not widely implemented) method of holding session state between pairwise UDP/53 speakers that would absolutely and totally protect hop by hop communications between cooperating initiator/responder pairs. the stuff that i directed toward the rubbish bin was every other current proposal, including my own (dns-0x20). > For this reason, although I hardly feel qualified (in wg context that is) > to do review, I would like to express my support for adopting > draft-hubert-ulevitch-edns-ping.txt as a working group document. And yes, > I'll gladly do review. PING is a layering violation for EDNS and does not add any real security. (as the author of EDNS [RFC2671] i already tried to add an extended QID and found that it could not be done; nothing as changed since RFC2671 came out.) > There is an interest in being able to use the ping option (it's already > being done), so there's a clear need to formalize the option code. > Moreover, suggested use of this option strongly works for meeting forgery > resilience demands, so I don't see why the document should not be adopted, > or why it should be worth all the heated debate. It describes an option, > support for which is entirely optional. This really ought to be > uncontroversial. it's controversial because it only works when it works, and when it fails, there's no distinction between an attack and a failure. we were not idiots back in the old days when EDNS was being crafted. we knew we needed a larger QID. we tried hard to include it. there's no way to do it and still properly negotiate EDNS. secure protocol engineering is apparently not as easy as it looks. > Bart Smit > > Network Engineer at BKWI, The Netherlands > (on personal title) paul vixie author, RFC 2671, http://www.ietf.org/rfc/rfc2671.txt co-author, DNS-0x20, http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Support for EDSN0 PING Bart Smit
- Re: [dnsext] Support for EDSN0 PING W.C.A. Wijngaards
- Re: [dnsext] Support for EDSN0 PING Griffiths, Chris
- Re: [dnsext] Support for EDSN0 PING niels=ietfops
- Re: [dnsext] Support for EDSN0 PING Joe Abley
- Encouragement of debate (was: [dnsext] Support fo… Andrew Sullivan
- Re: [dnsext] Support for EDSN0 PING Bart Smit
- Re: [dnsext] Support for EDSN0 PING Paul Vixie
- Re: [dnsext] Support for EDSN0 PING Paul Vixie
- Re: [dnsext] Support for EDSN0 PING W.C.A. Wijngaards
- Re: Encouragement of debate (was: [dnsext] Suppor… Jeffrey A. Williams
- Re: [dnsext] Support for EDSN0 PING Florian Weimer
- Re: [dnsext] Support for EDSN0 PING Paul Vixie
- Re: [dnsext] Support for EDSN0 PING Matthew Dempsky
- Re: [dnsext] Support for EDSN0 PING Paul Vixie
- Re: [dnsext] Support for EDSN0 PING Matthew Dempsky
- Re: [dnsext] Support for EDSN0 PING Paul Vixie
- Re: [dnsext] Support for EDSN0 PING Matthew Dempsky
- Re: [dnsext] Support for EDSN0 PING Paul Vixie
- Re: [dnsext] Support for EDSN0 PING Paul Vixie
- Re: [dnsext] Support for EDSN0 PING Mark Andrews
- Re: [dnsext] Support for EDSN0 PING Mark Andrews
- Re: [dnsext] Support for EDSN0 PING Paul Vixie