Re: Allowing DNS servers to operate behind NetScreen 500

[Rob Payne <rnspayne () the-paynes com>]

On Fri, Feb 14, 2003 at 08:58:41AM +0100, Reckhard, Tobias wrote:
> > On Thursday, February 13, 2003 3:39 AM, Rob Payne
> [mailto:rnspayne () the-paynes com] wrote:
> > Nothing personal to anyone, but a lot of firewalls really need to get
> > these kinds of things right.  If they do not, firewalls are going to
> > get in the way of (DNS) security when zones start getting signed.
> > (Rhetorical: Has anyone attempted to fit current DNS data plus
> > RSA/SHA1 keys and signatures in packets 512 datagrams long?)
>
> The question is when will DNS RRs ever get signed, if at all. The sheer
> amount of queries and number of records being requested, as well as the
> tremendous increase in payload due to signatures appears to create very
> real, practical problems. See http://cr.yp.to/djbdns/forgery.html and
> http://cr.yp.to/talks/2003dnssec.pdf.

Tobias, is that some type of bait?  DJB's ideas on the issue are quite
well known, he thinks we should all go back to a hosts file and
copying it from machine to machine.  Are you using ``nym-based
security'', currently?  When are you going to start?

Well, to get an answer on that, you might have to talk to some other
than DJB, who has no practical experience if he thinks you can rename
your machines every time you change keys.  From the forgery.html page
you referenced, ``The idea is simply to give each computer a name that
includes the computer's nym, a fingerprint of the computer's public
key.''

Keys need to expire, be revoked, replaced, etc. in a real world crypto
setting.  Computer names cannot change every time a key expires.  If
anyone goes with his nym-based security scheme, they will begin to
keep the same keys forever, thus defeating the advantage of the key in
the first place.

Assuming your question was not meant to be inflammatory, but that you
really wanted an answer, here goes.

There are operational zones currently being signed.  In fact, there
was a proposal at IETF 56, (11/2002 in Atlanta,) to begin signing of
the root zone
(http://www.ietf.org/internet-drafts/draft-ihren-dnsop-interim-signed-root-00.txt).

Most of the TLD's are already participating in signed test beds
(operationally signing their zones.)  The real problem zones, in terms
of signing are .nl and .com, because of the zone sizes.  There are
drafts being discussed that address the concerns of signing these
zones.
(http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-opt-in-04.txt)

If that does not sufficiently answer your question, I would be happy
to provide you with any additional information that I can.

                                 -rob

Attachment: _bin
Description: