Re: increasing DNS message entropy, a solution for NATs
Ray.Bellis@nominet.org.uk Thu, 31 July 2008 09:31 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A985D3A6885; Thu, 31 Jul 2008 02:31:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.124
X-Spam-Level:
X-Spam-Status: No, score=-4.124 tagged_above=-999 required=5 tests=[AWL=-0.825, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_UK=1.749, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZDuthoXIxuqt; Thu, 31 Jul 2008 02:31:22 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id B29EF3A67EC; Thu, 31 Jul 2008 02:31:22 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KOUM8-000KIX-Sw for namedroppers-data@psg.com; Thu, 31 Jul 2008 09:21:56 +0000
Received: from [213.248.199.23] (helo=mx3.nominet.org.uk) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <Ray.Bellis@nominet.org.uk>) id 1KOUM4-000KHj-PM for namedroppers@ops.ietf.org; Thu, 31 Jul 2008 09:21:54 +0000
DomainKey-Signature: s=main.dk.nominet.selector; d=nominet.org.uk; c=nofws; q=dns; h=X-IronPort-AV:Received:In-Reply-To:To:Cc:Subject: MIME-Version:X-Mailer:Message-ID:From:Date:X-MIMETrack: Content-Type; b=L6AcIlfZL+uDTb3afQU9sB8zGMgLY7nWigw6LZJraJAOrYHjOILtQ5Np 5J+ryfaKCWPEFad+5n4XsWFtRiZ7wiaTXvL2Zw87wSrmacwZCepEM81Vp wnSHxNinbCudp3z;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nominet.org.uk; i=Ray.Bellis@nominet.org.uk; q=dns/txt; s=main.dkim.nominet.selector; t=1217496112; x=1249032112; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20Ray.Bellis@nominet.org.uk|Subject:=20Re:=20incre asing=20DNS=20message=20entropy,=20a=20solution=20for=20N ATs|Date:=20Thu,=2031=20Jul=202008=2010:21:50=20+0100 |Message-ID:=20<OFCCB95657.08BB98E3-ON80257497.0032B72A-8 0257497.00337032@nominet.org.uk>|To:=20Duane=20<duane@e16 4.org>|Cc:=20namedroppers@ops.ietf.org|MIME-Version:=201. 0|In-Reply-To:=20<48917DC8.7070004@e164.org>; bh=93WyTZCsEY7EKF8RHmvk2N3XdmpPogSPw/EPjMN+XKI=; b=Uocvyz3yzKsUciCQOhV/kcfk62giGqkwDeULqD5DRv/K07h8ssr0bt+N j9fOAIAaOneTHRlQV0H8ETJ5u1/B3u3OoYdlFvSRr4B0Ex3cvC5ODVQdT ZSMjCES28LEwwI/;
X-IronPort-AV: E=Sophos;i="4.31,285,1215385200"; d="scan'208";a="5610410"
Received: from notes1.nominet.org.uk ([213.248.197.128]) by mx3.nominet.org.uk with ESMTP; 31 Jul 2008 10:21:51 +0100
In-Reply-To: <48917DC8.7070004@e164.org>
To: Duane <duane@e164.org>
Cc: namedroppers@ops.ietf.org
Subject: Re: increasing DNS message entropy, a solution for NATs
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OFCCB95657.08BB98E3-ON80257497.0032B72A-80257497.00337032@nominet.org.uk>
From: Ray.Bellis@nominet.org.uk
Date: Thu, 31 Jul 2008 10:21:50 +0100
X-MIMETrack: Serialize by Router on notes1/Nominet(Release 7.0.1FP1 | May 25, 2006) at 31/07/2008 10:21:50 AM, Serialize complete at 31/07/2008 10:21:50 AM
Content-Type: text/plain; charset="US-ASCII"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
> Ok, so problem solved as far as I can see, someone just needs to tell > hardware companies to fix NAT + DNS and that's that. Actually there's stacks of other stuff that the router manufacturers need to fix relating to DNS, particularly w.r.t the DNS proxies contained in most CPE: - tcp/53 support - currently almost non-existent - DNSSEC support - some mfrs block DNSSEC queries - EDNS0 - many DNS proxies can't do UDP fragment reassembly - open udp/53 ports on the WAN interface - probable "poor" PRNGs for port and QID selection (c.f. Ben's blog article) There's going to be a report published fairly soon containing the results of a joint study between myself and a US-based researcher detailing which routers have various deficiencies. Ray -- Ray Bellis, MA(Oxon) Senior Researcher in Advanced Projects, Nominet e: ray@nominet.org.uk, t: +44 1865 332211 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- increasing DNS message entropy, a solution for NA… Roy Arends
- Re: increasing DNS message entropy, a solution fo… Joe Abley
- Re: increasing DNS message entropy, a solution fo… bmanning
- Re: increasing DNS message entropy, a solution fo… Paul Vixie
- Re: increasing DNS message entropy, a solution fo… Roy Arends
- Re: increasing DNS message entropy, a solution fo… Alex Bligh
- Re: increasing DNS message entropy, a solution fo… Roy Arends
- Re: increasing DNS message entropy, a solution fo… Alex Bligh
- Re: increasing DNS message entropy, a solution fo… Roy Arends
- Re: increasing DNS message entropy, a solution fo… bert hubert
- Re: increasing DNS message entropy, a solution fo… Masataka Ohta
- Re: increasing DNS message entropy, a solution fo… Duane
- Re: increasing DNS message entropy, a solution fo… Joe Abley
- Re: increasing DNS message entropy, a solution fo… Joe Abley
- Re: increasing DNS message entropy, a solution fo… Joe Abley
- Re: increasing DNS message entropy, a solution fo… Paul Vixie
- Re: increasing DNS message entropy, a solution fo… Doug Barton
- there is a leak: message entropy increase urgent bert hubert
- Re: there is a leak: message entropy increase urg… Paul Vixie
- Re: there is a leak: message entropy increase urg… Mark Andrews
- Re: there is a leak: message entropy increase urg… bert hubert
- Re: there is a leak: message entropy increase urg… Paul Vixie
- Re: increasing DNS message entropy, a solution fo… Tony Finch
- Re: increasing DNS message entropy, a solution fo… Ben Laurie
- Re: increasing DNS message entropy, a solution fo… Masataka Ohta
- Re: increasing DNS message entropy, a solution fo… Alex Bligh
- Re: increasing DNS message entropy, a solution fo… Duane
- Re: increasing DNS message entropy, a solution fo… Ben Laurie
- Re: increasing DNS message entropy, a solution fo… Ben Laurie
- Re: increasing DNS message entropy, a solution fo… Ben Laurie
- Re: increasing DNS message entropy, a solution fo… Duane
- Re: increasing DNS message entropy, a solution fo… Duane
- Re: increasing DNS message entropy, a solution fo… Ben Laurie
- Re: increasing DNS message entropy, a solution fo… Duane
- Re: increasing DNS message entropy, a solution fo… Ben Laurie
- Re: increasing DNS message entropy, a solution fo… Ben Laurie
- Re: increasing DNS message entropy, a solution fo… Alex Bligh
- Re: increasing DNS message entropy, a solution fo… Duane
- Re: increasing DNS message entropy, a solution fo… bert hubert
- Re: increasing DNS message entropy, a solution fo… Ray.Bellis
- Re: increasing DNS message entropy, a solution fo… Antoin Verschuren
- Re: increasing DNS message entropy, a solution fo… Ray.Bellis
- Re: increasing DNS message entropy, a solution fo… Duane
- Re: increasing DNS message entropy, a solution fo… bmanning
- Re: increasing DNS message entropy, a solution fo… Ray.Bellis
- Re: increasing DNS message entropy, a solution fo… bmanning
- Re: increasing DNS message entropy, a solution fo… bmanning
- Re: increasing DNS message entropy, a solution fo… Alex Bligh