Re: Allowing DNS servers to operate behind NetScreen 500

[Rob Payne <rnspayne () the-paynes com>]

On Sat, Feb 15, 2003 at 09:03:14AM -0800, tqbf () sockpuppet org wrote:
> > Tobias, is that some type of bait?  DJB's ideas on the issue are quite
> > well known, he thinks we should all go back to a hosts file and
> > copying it from machine to machine.  Are you using ``nym-based
> > security'', currently?  When are you going to start?
>
> This is a ridiculous ad-hominem that has no relevance whatsoever to
> Bernstein's actual position in the DNS security controversy. 

Thomas, that comment is ridiculously specious.  I asked if Tobias was
using nym-based security and then discussed why it is not practical.
Are you, or more importantly is your employer, going to name systems
using the a public key fingerprint?  If you do, what happens to the
credibility of the system when the name changes because a public key
expired and needs to be changed?  How about when a system is broken
into and the key is compromised?

This is a security list, everyone here should be willing to
acknowledge that no systems are "perfectly secure."  Given that, why
would you use security that is based upon the false assumption that a
key is never compromised?

> At issue is whether any credible set of protocols and plans exists
> to cryptographically secure DNS with a hierarchy of keys. Since
> Vixie himself seems to have indicated that the DNSSEC protocols
> Bernstein has refused to implement were a false start, don't you
> feel a bit embarassed using them as an excuse to bash an implementor
> on a public mailing list?

I did nothing to bash any "implementor" on a public mailing list,
certainly nothing to be embarassed about.  As I said, Professor Dan's
ideas on the subject are well-known.  The only reason I mentioned him
at all was to ask Tobias about the references he made to a web site
regarding DJB.  Your reference to Paul Vixie is a nearly direct quote
from the same web pages and has absolutely no relevance.  "Vixie," as
you call him, made that statement in reference to 2535.  The
references I listed in my previous messages are aimed at replacing
2535 in a way that fixes the problems that were found when
implementing 2535.

Let's take this a step farther, so no one feels this has anything to
do with any DNS implementors.  My point was that firewalls that block
fragmented UDP packets used by EDNS are getting in the way of
security.  Let's ignore everything currently being done regarding
DNSSEC by the IETF since anything regarding DNSSEC not said by
Professor B. seems to be such a sensitive topic.  Instead let's focus
on any transaction that simply requires large DNS packets.

For instance, a well-distributed set of name servers whose names have
been created using nyms.  If you take 13 hosts with names based upon
SHA1 fingerprints, and use them as the name servers for a zone, you
cannot transmit that DNS message in 512 datagrams.  My original point
still holds if the firewall blocks fragmented DNS.  

DNSSEC was an example.  It is not the only reason why firewalls need
to do the right thing with DNS.

                                 -rob

Attachment: _bin
Description: