IETF Logo Mail Archive

[RAM] (no subject)

RJ Atkinson <rja@extremenetworks.com> Fri, 15 June 2007 21:24 UTC

Return-path: <ram-bounces@iab.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HzJHB-0000hZ-Bp; Fri, 15 Jun 2007 17:24:13 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HzJHA-0000gu-F7 for ram@iab.org; Fri, 15 Jun 2007 17:24:12 -0400
Received: from eastrmmtao103.cox.net ([68.230.240.9]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HzJH9-0000AH-6X for ram@iab.org; Fri, 15 Jun 2007 17:24:12 -0400
Received: from eastrmimpo01.cox.net ([68.1.16.119]) by eastrmmtao103.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <20070615212411.PWNF8543.eastrmmtao103.cox.net@eastrmimpo01.cox.net> for <ram@iab.org>; Fri, 15 Jun 2007 17:24:11 -0400
Received: from [10.30.20.61] ([68.10.118.38]) by eastrmimpo01.cox.net with bizsmtp id BxQA1X0080pnMhQ0000000; Fri, 15 Jun 2007 17:24:10 -0400
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Transfer-Encoding: 7bit
Message-Id: <B4C31DEE-6835-4662-B4B0-F611FB01232D@extremenetworks.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
To: ram@iab.org
From: RJ Atkinson <rja@extremenetworks.com>
Date: Fri, 15 Jun 2007 17:24:09 -0400
X-Mailer: Apple Mail (2.752.3)
X-Spam-Score: 1.6 (+)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
Subject: [RAM] (no subject)
X-BeenThere: ram@iab.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing and Addressing Mailing List <ram.iab.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ram>
List-Post: <mailto:ram@iab.org>
List-Help: <mailto:ram-request@iab.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=subscribe>
Errors-To: ram-bounces@iab.org

On Jun 15, 2007, at 6:52 AM, RJ Atkinson wrote:
 >The *only* way to remove potential security issues associated
 >with DNS is to deploy DNS Security.  Period.

Later, Roland Dobbins at cisco wrote:
% There's hardly consensus within the operational community
% surrounding the utility of DNSSEC, if that's what you're
% referring to, so assertions of this nature aren't really
% supportable.

Actually, the assertion is provable.  DNSsec is the *only*
mechanism available to provide cryptographic authentication
of DNS responses.  If someone wants to propose something else,
that is fine, but until some alternative mechanism is
defined and agreed upon then it really is the only option
available.

I realise that moving from the current totally un-authenticated
DNS to one where DNS is authenticated is far from being a
trivial exercise.  There is some operational pain in making
that transition.  I do know of a few organisations that have
made that transition successfully, not many, but there are some.
Even one deployment would be an existence proof and there are
more than one (not many, admittedly).  So it is possible, although
not painless.  (And I'm not discounting the pain. :-(

However, there is no other credible proposal on the table
for providing strong authentication to DNS responses.  And
the threats are real (and have been seen in the wild).
Further, those threats and vulnerabilities do apply to the
current deployed IPv4 Internet.

So my claim was carefully phrased.  I didn't say DNSsec was
easy or trivial to deploy.  I said it was the only way to
remove those security issues -- and my claim is indisputably
true at present.  Maybe later pixie dust will appear and
come up with some other mechanism; I'm not aware of anything
else today that can address the DNS security issues.

And if this exchange motivates someone here to come up with
something better than the IETF DNSsec standards, that isn't
a bad outcome either. :-)

Cheers,

Ran


_______________________________________________
RAM mailing list
RAM@iab.org
https://www1.ietf.org/mailman/listinfo/ram

v2.23.0 | Report a Bug | By Email