Re: [dnsext] Practically secure DNS
Brian Dickson <brian.peter.dickson@gmail.com> Tue, 25 October 2011 23:48 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F4951F0C9A; Tue, 25 Oct 2011 16:48:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1319586539; bh=8VT7dDGrmsUdkitKobZLXZ885/6t8n5pv9k18RzD2t0=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=Z719g5VdtLx4kpa5pXgFbSUEwoHuNpavYIPfVDW9alaA+2Z8fx9Um0gVwawfeOawE y62jbQwl11yqwnwBMimnRC7+bsyqQv4OVkFT1uXm9cyjC5UjiXfuc393MWJlAK1qIC lx7tM8xOM0/D42U6IZNUnIFcvB8WeKp16uiasWng=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4A351F0C9A for <dnsext@ietfa.amsl.com>; Tue, 25 Oct 2011 16:48:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.53
X-Spam-Level:
X-Spam-Status: No, score=-3.53 tagged_above=-999 required=5 tests=[AWL=0.069, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uk7TYkS2N3Jm for <dnsext@ietfa.amsl.com>; Tue, 25 Oct 2011 16:48:57 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id CE8FA1F0C96 for <dnsext@ietf.org>; Tue, 25 Oct 2011 16:48:56 -0700 (PDT)
Received: by faas12 with SMTP id s12so1231627faa.31 for <dnsext@ietf.org>; Tue, 25 Oct 2011 16:48:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=RJ12mi8RF84fyVnCQsh1qw43dqr6yypnaHXlm2rtnK8=; b=nTHUFOXAoaOVCZEbtl0KCCwoFGNHTs02Aax17MeERtGKL77ZlMTecx2g7CHhq1w3Kd 5I1idcyFV9P0Y6cFeaanMlMKdfnp709l5oEG7Snw0RgJ35tJVyn+kLGE1IclwRa4zxaR vLYVjJu3p2eNX3qB8PNwJkPWqlDIAa/T0csBM=
MIME-Version: 1.0
Received: by 10.223.76.135 with SMTP id c7mr14855111fak.14.1319586535281; Tue, 25 Oct 2011 16:48:55 -0700 (PDT)
Received: by 10.223.16.78 with HTTP; Tue, 25 Oct 2011 16:48:55 -0700 (PDT)
In-Reply-To: <4EA5FB3D.20509@necom830.hpcl.titech.ac.jp>
References: <20111009135505.GA85221@shinkuro.com> <CACU5sD=-pJUVKG1QmwBX9d-MZJp6_AYkXWDxh_CTAXO=x7+Juw@mail.gmail.com> <20111010051725.3A95214E5206@drugs.dv.isc.org> <CACU5sDnd49zbLxqLFOebFfm6UqJ7qZiQuCqY4DeEA4rHiia8GQ@mail.gmail.com> <20111010220027.F1E2614EB649@drugs.dv.isc.org> <4E9C2413.3030000@nlnetlabs.nl> <20111017134650.816981569E8F@drugs.dv.isc.org> <20111017140437.GA7743@shinkuro.com> <20111018014221.C0E871578C86@drugs.dv.isc.org> <20111018040429.GM7743@shinkuro.com> <20111018054252.1EF21157D5EB@drugs.dv.isc.org> <4E9D1FA2.5020608@necom830.hpcl.titech.ac.jp> <4E9D6BAC.7000100@gis.net> <4E9D8459.1030707@necom830.hpcl.titech.ac.jp> <sjm7h42z8p3.fsf@mocana.ihtfp.org> <4E9E140D.8040803@necom830.hpcl.titech.ac.jp> <20111019015410.5AA45158826F@drugs.dv.isc.org> <4E9EDDE3.3050302@necom830.hpcl.titech.ac.jp> <4EA5329D.8050607@necom830.hpcl.titech.ac.jp> <02C8B7BF-7C6F-4BC2-9A40-2EC087895F58@hopcount.ca> <alpine.DEB.2.00.1110240940230.9077@mail.xelerance.com> <4EA5FB3D.20509@necom830.hpcl.titech.ac.jp>
Date: Tue, 25 Oct 2011 19:48:55 -0400
Message-ID: <CAH1iCipCMGKqvyuujnDaM9VLF_GoC9qeKHFoPfCBR1+szSEUGQ@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Practically secure DNS
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
The proposal does not in any way define "secure", which I believe is going to be problematic for it to be considered by the WG, let alone the IETF. Could you please elaborate on what you mean by "secure"? On Mon, Oct 24, 2011 at 7:56 PM, Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> wrote: > Paul Wouters wrote: > >> Isn't all of this already proposed in >> http://tools.ietf.org/html/draft-wijngaards-dnsext-resolver-side-mitigation-01 > > Which one? > >> It also totally ignores the fact that if all involved name servers are >> "secure" (definition unknown) but > > SDNS also totally ignores the fact that SDNS with automatic servers > for clients to modify domain information is not secure if related > servers are not secure. SDNS considers the modification of domain information out-of-scope. However, DNS registry operators, registrars, and DNS hosting operators do not ignore this, and generally employ whatever they consider best practice in securing their servers, and in limiting the extent of problems if a server which by necessity is exposed to the Internet, gets compromised. >> the traffic path is not, > > SDNS with automatic servers for clients to modify domain > information with password confirmation is not secure if the > traffic path is not secure. By negating the conclusion, we in turn infer the negation of the preposition. If the traffic path is secure, SDNS ... is secure. Current best (and common) practice is to submit domain information over secure channels. This includes encrypted email (2048 RSA), physical devices (flash memory), out-of-band (fax), and SSL-protected or IPsec-protected connections (e.g. https). >> the "secure" client is still going to take >> rewritten replies. Eg this draft >> does not even handle the "starbucks wifi" scenario or any transparent >> DNS proxy scenario. > > SDNS also ignores the fact that secure time is practically > impossible to obtain within certain private networks. SDNS does not require secure time, only "pretty good" time to prevent replay and never-expired data usage. Wall-clock time from a reasonably reputable source, such as WWV, the TV, or the USNO web site, are all good enough. Set once, and check every 6 months by comparing to another reasonably okay source, is more than enough for SDNS. SDNS addresses man-in-the-middle (providing modified-but-consistent results). That meets my definition of "secure". How does not addressing man-in-the-middle (which your proposal does not) in any way meet the definition of "pretty secure"? Brian _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] Suggested update to RFC 4035 section… Mohan Parthasarathy
- [dnsext] Suggested update to RFC 4035 section 4.9… Mark Andrews
- Re: [dnsext] Suggested update to RFC 4035 section… Mark Andrews
- [dnsext] Why are we re-opening this topic? Was: S… Andrew Sullivan
- Re: [dnsext] Why are we re-opening this topic? Wa… Andrew Sullivan
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… David Conrad
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Andrew Sullivan
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Andrew Sullivan
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Mohan Parthasarathy
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Mohan Parthasarathy
- Re: [dnsext] Why are we re-opening this topic? Wa… Masataka Ohta
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Mohan Parthasarathy
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… W.C.A. Wijngaards
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Andrew Sullivan
- Re: [dnsext] Why are we re-opening this topic? Wa… W.C.A. Wijngaards
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Mohan Parthasarathy
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Mohan Parthasarathy
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Mohan Parthasarathy
- Re: [dnsext] Why are we re-opening this topic? Wa… Andrew Sullivan
- [dnsext] Other views request from chair (was : Wh… Andrew Sullivan
- Re: [dnsext] Other views request from chair (was … Brian Dickson
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Masataka Ohta
- Re: [dnsext] Why are we re-opening this topic? Wa… Danny Mayer
- Re: [dnsext] Why are we re-opening this topic? Wa… Masataka Ohta
- Re: [dnsext] Why are we re-opening this topic? Wa… Derek Atkins
- Re: [dnsext] Other views request from chair (was … Edward Lewis
- Re: [dnsext] Why are we re-opening this topic? Wa… Andrew Sullivan
- Re: [dnsext] Why are we re-opening this topic? Wa… Brian Dickson
- Re: [dnsext] Other views request from chair (was … Michael StJohns
- Re: [dnsext] Other views request from chair (was … Nicholas Weaver
- Re: [dnsext] Other views request from chair (was … Michael StJohns
- Re: [dnsext] Other views request from chair (was … Brian Dickson
- Re: [dnsext] Other views request from chair (was … Nicholas Weaver
- Re: [dnsext] Why are we re-opening this topic? Wa… Masataka Ohta
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Other views request from chair (was … Rob Austein
- Re: [dnsext] Other views request from chair (was … Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Masataka Ohta
- Re: [dnsext] Other views request from chair (was … Mohan Parthasarathy
- Re: [dnsext] Other views request from chair (was … Edward Lewis
- [dnsext] Practically secure DNS Masataka Ohta
- Re: [dnsext] Practically secure DNS Joe Abley
- Re: [dnsext] Practically secure DNS Paul Wouters
- Re: [dnsext] Practically secure DNS Nicholas Weaver
- Re: [dnsext] Practically secure DNS Paul Wouters
- Re: [dnsext] Practically secure DNS Nicholas Weaver
- Re: [dnsext] Practically secure DNS Paul Wouters
- Re: [dnsext] Practically secure DNS Nicholas Weaver
- Re: [dnsext] Practically secure DNS Masataka Ohta
- Re: [dnsext] Practically secure DNS Masataka Ohta
- Re: [dnsext] Practically secure DNS Masataka Ohta
- Re: [dnsext] Practically secure DNS Joe Abley
- Re: [dnsext] Practically secure DNS Masataka Ohta
- Re: [dnsext] Practically secure DNS Joe Abley
- Re: [dnsext] Practically secure DNS Nicholas Weaver
- Re: [dnsext] Practically secure DNS Masataka Ohta
- Re: [dnsext] Practically secure DNS Masataka Ohta
- Re: [dnsext] Practically secure DNS Brian Dickson
- Re: [dnsext] Practically secure DNS Masataka Ohta