Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Allowing DNS servers to operate behind NetScreen 500

From: "Reckhard, Tobias" <tobias.reckhard () secunet com>
Date: Fri, 14 Feb 2003 08:58:41 +0100
On Thursday, February 13, 2003 3:39 AM, Rob Payne

[mailto:rnspayne () the-paynes com] wrote:


Nothing personal to anyone, but a lot of firewalls really need to get
these kinds of things right.  If they do not, firewalls are going to
get in the way of (DNS) security when zones start getting signed.
(Rhetorical: Has anyone attempted to fit current DNS data plus
RSA/SHA1 keys and signatures in packets 512 datagrams long?)


The question is when will DNS RRs ever get signed, if at all. The sheer
amount of queries and number of records being requested, as well as the
tremendous increase in payload due to signatures appears to create very
real, practical problems. See http://cr.yp.to/djbdns/forgery.html and
http://cr.yp.to/talks/2003dnssec.pdf.

Cheers,
Tobias
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: