[RAM] (no subject)
RJ Atkinson <rja@extremenetworks.com> Fri, 15 June 2007 21:24 UTC
Return-path: <ram-bounces@iab.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HzJHB-0000hZ-Bp; Fri, 15 Jun 2007 17:24:13 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HzJHA-0000gu-F7 for ram@iab.org; Fri, 15 Jun 2007 17:24:12 -0400
Received: from eastrmmtao103.cox.net ([68.230.240.9]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HzJH9-0000AH-6X for ram@iab.org; Fri, 15 Jun 2007 17:24:12 -0400
Received: from eastrmimpo01.cox.net ([68.1.16.119]) by eastrmmtao103.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <20070615212411.PWNF8543.eastrmmtao103.cox.net@eastrmimpo01.cox.net> for <ram@iab.org>; Fri, 15 Jun 2007 17:24:11 -0400
Received: from [10.30.20.61] ([68.10.118.38]) by eastrmimpo01.cox.net with bizsmtp id BxQA1X0080pnMhQ0000000; Fri, 15 Jun 2007 17:24:10 -0400
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Transfer-Encoding: 7bit
Message-Id: <B4C31DEE-6835-4662-B4B0-F611FB01232D@extremenetworks.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
To: ram@iab.org
From: RJ Atkinson <rja@extremenetworks.com>
Date: Fri, 15 Jun 2007 17:24:09 -0400
X-Mailer: Apple Mail (2.752.3)
X-Spam-Score: 1.6 (+)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
Subject: [RAM] (no subject)
X-BeenThere: ram@iab.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing and Addressing Mailing List <ram.iab.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ram>
List-Post: <mailto:ram@iab.org>
List-Help: <mailto:ram-request@iab.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=subscribe>
Errors-To: ram-bounces@iab.org
On Jun 15, 2007, at 6:52 AM, RJ Atkinson wrote: >The *only* way to remove potential security issues associated >with DNS is to deploy DNS Security. Period. Later, Roland Dobbins at cisco wrote: % There's hardly consensus within the operational community % surrounding the utility of DNSSEC, if that's what you're % referring to, so assertions of this nature aren't really % supportable. Actually, the assertion is provable. DNSsec is the *only* mechanism available to provide cryptographic authentication of DNS responses. If someone wants to propose something else, that is fine, but until some alternative mechanism is defined and agreed upon then it really is the only option available. I realise that moving from the current totally un-authenticated DNS to one where DNS is authenticated is far from being a trivial exercise. There is some operational pain in making that transition. I do know of a few organisations that have made that transition successfully, not many, but there are some. Even one deployment would be an existence proof and there are more than one (not many, admittedly). So it is possible, although not painless. (And I'm not discounting the pain. :-( However, there is no other credible proposal on the table for providing strong authentication to DNS responses. And the threats are real (and have been seen in the wild). Further, those threats and vulnerabilities do apply to the current deployed IPv4 Internet. So my claim was carefully phrased. I didn't say DNSsec was easy or trivial to deploy. I said it was the only way to remove those security issues -- and my claim is indisputably true at present. Maybe later pixie dust will appear and come up with some other mechanism; I'm not aware of anything else today that can address the DNS security issues. And if this exchange motivates someone here to come up with something better than the IETF DNSsec standards, that isn't a bad outcome either. :-) Cheers, Ran _______________________________________________ RAM mailing list RAM@iab.org https://www1.ietf.org/mailman/listinfo/ram
- [RAM] (no subject) RJ Atkinson
- Re: [RAM] (no subject) Brian E Carpenter
- RE: [RAM] (no subject) Templin, Fred L
- Re: [RAM] (no subject) HeinerHummel
- [RAM] (no subject) RJ Atkinson
- [RAM] (no subject) RJ Atkinson
- [RAM] (no subject) Lixia Zhang