Firewall Wizards mailing list archives
Re: Allowing DNS servers to operate behind NetScreen 500
From: Rob Payne <rnspayne () the-paynes com>
Date: Fri, 14 Feb 2003 22:10:43 -0500
On Fri, Feb 14, 2003 at 08:58:41AM +0100, Reckhard, Tobias wrote:
On Thursday, February 13, 2003 3:39 AM, Rob Payne[mailto:rnspayne () the-paynes com] wrote:Nothing personal to anyone, but a lot of firewalls really need to get these kinds of things right. If they do not, firewalls are going to get in the way of (DNS) security when zones start getting signed. (Rhetorical: Has anyone attempted to fit current DNS data plus RSA/SHA1 keys and signatures in packets 512 datagrams long?)The question is when will DNS RRs ever get signed, if at all. The sheer amount of queries and number of records being requested, as well as the tremendous increase in payload due to signatures appears to create very real, practical problems. See http://cr.yp.to/djbdns/forgery.html and http://cr.yp.to/talks/2003dnssec.pdf.
Tobias, is that some type of bait? DJB's ideas on the issue are quite well known, he thinks we should all go back to a hosts file and copying it from machine to machine. Are you using ``nym-based security'', currently? When are you going to start? Well, to get an answer on that, you might have to talk to some other than DJB, who has no practical experience if he thinks you can rename your machines every time you change keys. From the forgery.html page you referenced, ``The idea is simply to give each computer a name that includes the computer's nym, a fingerprint of the computer's public key.'' Keys need to expire, be revoked, replaced, etc. in a real world crypto setting. Computer names cannot change every time a key expires. If anyone goes with his nym-based security scheme, they will begin to keep the same keys forever, thus defeating the advantage of the key in the first place. Assuming your question was not meant to be inflammatory, but that you really wanted an answer, here goes. There are operational zones currently being signed. In fact, there was a proposal at IETF 56, (11/2002 in Atlanta,) to begin signing of the root zone (http://www.ietf.org/internet-drafts/draft-ihren-dnsop-interim-signed-root-00.txt). Most of the TLD's are already participating in signed test beds (operationally signing their zones.) The real problem zones, in terms of signing are .nl and .com, because of the zone sizes. There are drafts being discussed that address the concerns of signing these zones. (http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-opt-in-04.txt) If that does not sufficiently answer your question, I would be happy to provide you with any additional information that I can. -rob
Attachment:
_bin
Description:
Current thread:
- Allowing DNS servers to operate behind NetScreen 500 Gebhart, Glenn (Feb 03)
- <Possible follow-ups>
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 03)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 13)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 04)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 Reckhard, Tobias (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 tqbf (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Paul D. Robertson (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 15)
- Re: DNS vs. Bernstein tqbf (Feb 15)
- Re: DNS and Firewalls Rob Payne (Feb 20)
- Re: DNS Extensions and Firewalls Thomas H. Ptacek (Feb 21)
- Re: DNS Extensions and Firewalls Frank Knobbe (Feb 22)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 Volker Tanger (Feb 17)
- Re: Allowing DNS servers to operate behind NetScreen 500 Mike Scher (Feb 17)