IETF Logo Mail Archive

Re: [RAM] DNS usage in NERD

Eliot Lear <lear@cisco.com> Sat, 16 June 2007 11:47 UTC

Return-path: <ram-bounces@iab.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HzWkj-00075L-LK; Sat, 16 Jun 2007 07:47:37 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HzWki-00075G-KI for ram@iab.org; Sat, 16 Jun 2007 07:47:36 -0400
Received: from ams-iport-1.cisco.com ([144.254.224.140]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HzWkh-0004kl-Ai for ram@iab.org; Sat, 16 Jun 2007 07:47:36 -0400
Received: from ams-dkim-2.cisco.com ([144.254.224.139]) by ams-iport-1.cisco.com with ESMTP; 16 Jun 2007 13:47:30 +0200
Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by ams-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id l5GBlUDe000661; Sat, 16 Jun 2007 13:47:30 +0200
Received: from adsl-247-4-fixip.tiscali.ch (ams3-vpn-dhcp345.cisco.com [10.61.65.89]) by ams-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id l5GBlNDR028907; Sat, 16 Jun 2007 11:47:24 GMT
Message-ID: <4673CDCB.4050805@cisco.com>
Date: Sat, 16 Jun 2007 12:47:23 +0100
From: Eliot Lear <lear@cisco.com>
User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326)
MIME-Version: 1.0
To: Roland Dobbins <rdobbins@cisco.com>
Subject: Re: [RAM] DNS usage in NERD
References: <1733F2C0-324A-4C66-9904-F0B597271642@extremenetworks.com> <E6AB85F0-CA95-4BF2-AC8F-5DEC598ACA13@cisco.com>
In-Reply-To: <E6AB85F0-CA95-4BF2-AC8F-5DEC598ACA13@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=763; t=1181994450; x=1182858450; c=relaxed/simple; s=amsdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=lear@cisco.com; z=From:=20Eliot=20Lear=20<lear@cisco.com> |Subject:=20Re=3A=20[RAM]=20DNS=20usage=20in=20NERD |Sender:=20; bh=5+xVy44HiVjmjExhO+zlStFo4hfuh0ZJhW8pzCjYHyY=; b=RXDU68Bi0cbSMJIjmXx7TQqGSUeK0k4VEXwV5RNtAWZprTPT2igvLbqCGH1UtsE+m8uf3aKK fMrtFYve58tU8rwrfm2OYXQmCGlYk2DV1g129wOdBDitNk58882i7DdD;
Authentication-Results: ams-dkim-2; header.From=lear@cisco.com; dkim=pass (s ig from cisco.com/amsdkim2001 verified; );
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 856eb5f76e7a34990d1d457d8e8e5b7f
Cc: RJ Atkinson <rja@extremenetworks.com>, ram@iab.org
X-BeenThere: ram@iab.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing and Addressing Mailing List <ram.iab.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ram>
List-Post: <mailto:ram@iab.org>
List-Help: <mailto:ram-request@iab.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=subscribe>
Errors-To: ram-bounces@iab.org

Roland, Ran,

>> The *only* way to remove potential security issues associated
>> with DNS is to deploy DNS Security.  Period.
>
> There's hardly consensus within the operational community surrounding 
> the utility of DNSSEC, if that's what you're referring to, so 
> assertions of this nature aren't really supportable.


Obviously you're both right. The way I see it, when we start to see real 
exploits we *probably* have a way to get around them, and operators 
might become more motivated to implement DNSSEC (regardless of whether 
NERD is deployed).  But in this case, I would think the risk is limited 
to that of a denial of service, because the database and updates are 
signed.  Perhaps a few words are in order in the draft?

Eliot

_______________________________________________
RAM mailing list
RAM@iab.org
https://www1.ietf.org/mailman/listinfo/ram

v2.23.0 | Report a Bug | By Email