Re: [dnsext] Forgery resilience and meeting in Stockholm
Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Mon, 11 May 2009 12:52 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7DDA63A6845; Mon, 11 May 2009 05:52:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.891
X-Spam-Level:
X-Spam-Status: No, score=-4.891 tagged_above=-999 required=5 tests=[AWL=-0.713, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cOdaNCz9Q9hx; Mon, 11 May 2009 05:52:47 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 8616B3A6D7E; Mon, 11 May 2009 05:52:47 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1M3Uwg-000Knt-Fj for namedroppers-data0@psg.com; Mon, 11 May 2009 12:49:26 +0000
Received: from [192.150.186.11] (helo=fruitcake.ICSI.Berkeley.EDU) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <nweaver@ICSI.Berkeley.EDU>) id 1M3UwK-000Kl0-4p for namedroppers@ops.ietf.org; Mon, 11 May 2009 12:49:09 +0000
Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id n4BCmxOj006380; Mon, 11 May 2009 05:48:59 -0700 (PDT)
Cc: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>, Andrew Sullivan <ajs@shinkuro.com>, namedroppers@ops.ietf.org
Message-Id: <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu>
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
To: Florian Weimer <fweimer@bfk.de>
In-Reply-To: <82prefq1dz.fsf@mid.bfk.de>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v930.3)
Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm
Date: Mon, 11 May 2009 05:48:59 -0700
References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de>
X-Mailer: Apple Mail (2.930.3)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
On May 11, 2009, at 5:18 AM, Florian Weimer wrote: > * Andrew Sullivan: > >> 3. Adopt draft-vixie-dnsext-dns0x20-00. If we do (2), then perhaps >> this gets included in that document, or perhaps it proceeds as part >> of >> a set of documents. Let's leave the editorial process issues out of >> the discussion, and just focus on whether we want to include this >> strategy in the tool box. >> >> 4. Adopt draft-hubert-ulevitch-edns-ping-01.txt. As in (3), this >> might be included as part of (2) or processed individually, but that >> doesn't matter. > > Both drafts are not worth the WG's efforts, IMHO. I can see such an argument against EDNS0-ping, but what is your argument against 0x20? 0x20 is just about as validated-as-you-can-get already within the current DNS operations. > On the other hand, it seems to me that the current DNSSEC > implementations require a certain level of channel security to work > reliably. If it turns out that source port randomization is really > not good enough, DNSSEC is affected as well (even if it's just a > denial of service). I don't think this denial of service is all that significant, because there are easy fallbacks for such failures to generate new requests (it sounds like thats what Bind does already), and any resolver with DNSSEC is still going to need source port randomization for all the stuff that isn't DNSSEC yet. There are far better things for an attacker to do than waste 2^30+ packets in that way. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Forgery resilience and meeting in Stockh… Andrew Sullivan
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… bert hubert
- Re: [dnsext] Forgery resilience and meeting in St… W.C.A. Wijngaards
- Re: [dnsext] Forgery resilience and meeting in St… bert hubert
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Matthijs Mekking
- Re: [dnsext] Forgery resilience and meeting in St… bert hubert
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Ondřej Surý
- Re: [dnsext] Forgery resilience and meeting in St… Matthijs Mekking
- Re: [dnsext] Forgery resilience and meeting in St… Roy Arends
- Re: [dnsext] Forgery resilience and meeting in St… bert hubert
- Re: [dnsext] Forgery resilience and meeting in St… Stefan Schmidt
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Andrew Sullivan
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Olafur Gudmundsson
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Matt Larson
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Mark Andrews
- Re: [dnsext] Forgery resilience and meeting in St… Bert
- Re: [dnsext] Forgery resilience and meeting in St… Joe Abley
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Joe Abley
- Re: [dnsext] Forgery resilience and meeting in St… Shane Kerr
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Desperate plea for 0x20, was Re: [dnsext] Forgery… Shane Kerr
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: Desperate plea for 0x20, was Re: [dnsext] For… Paul Vixie
- Re: Desperate plea for 0x20, was Re: [dnsext] For… Jeffrey A. Williams
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- RE: Desperate plea for 0x20, was Re: [dnsext] For… Antoin Verschuren
- RE: [dnsext] Forgery resilience and meeting in St… Antoin Verschuren
- Re: Desperate plea for 0x20, was Re: [dnsext] For… Federico Lucifredi
- Re: Desperate plea for 0x20, was Re: [dnsext] For… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Otmar Lendl
- Re: [dnsext] Forgery resilience and meeting in St… Ólafur Guðmundsson /DNSEXT chair
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… Federico Lucifredi
- Re: [dnsext] Forgery resilience and meeting in St… Peter Koch
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Ted Lemon
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Olafur Gudmundsson