Firewall Wizards mailing list archives
Re: Allowing DNS servers to operate behind NetScreen 500
From: Rob Payne <rnspayne () the-paynes com>
Date: Sat, 15 Feb 2003 15:31:21 -0500
On Sat, Feb 15, 2003 at 09:03:14AM -0800, tqbf () sockpuppet org wrote:
Tobias, is that some type of bait? DJB's ideas on the issue are quite well known, he thinks we should all go back to a hosts file and copying it from machine to machine. Are you using ``nym-based security'', currently? When are you going to start?This is a ridiculous ad-hominem that has no relevance whatsoever to Bernstein's actual position in the DNS security controversy.
Thomas, that comment is ridiculously specious. I asked if Tobias was using nym-based security and then discussed why it is not practical. Are you, or more importantly is your employer, going to name systems using the a public key fingerprint? If you do, what happens to the credibility of the system when the name changes because a public key expired and needs to be changed? How about when a system is broken into and the key is compromised? This is a security list, everyone here should be willing to acknowledge that no systems are "perfectly secure." Given that, why would you use security that is based upon the false assumption that a key is never compromised?
At issue is whether any credible set of protocols and plans exists to cryptographically secure DNS with a hierarchy of keys. Since Vixie himself seems to have indicated that the DNSSEC protocols Bernstein has refused to implement were a false start, don't you feel a bit embarassed using them as an excuse to bash an implementor on a public mailing list?
I did nothing to bash any "implementor" on a public mailing list, certainly nothing to be embarassed about. As I said, Professor Dan's ideas on the subject are well-known. The only reason I mentioned him at all was to ask Tobias about the references he made to a web site regarding DJB. Your reference to Paul Vixie is a nearly direct quote from the same web pages and has absolutely no relevance. "Vixie," as you call him, made that statement in reference to 2535. The references I listed in my previous messages are aimed at replacing 2535 in a way that fixes the problems that were found when implementing 2535. Let's take this a step farther, so no one feels this has anything to do with any DNS implementors. My point was that firewalls that block fragmented UDP packets used by EDNS are getting in the way of security. Let's ignore everything currently being done regarding DNSSEC by the IETF since anything regarding DNSSEC not said by Professor B. seems to be such a sensitive topic. Instead let's focus on any transaction that simply requires large DNS packets. For instance, a well-distributed set of name servers whose names have been created using nyms. If you take 13 hosts with names based upon SHA1 fingerprints, and use them as the name servers for a zone, you cannot transmit that DNS message in 512 datagrams. My original point still holds if the firewall blocks fragmented DNS. DNSSEC was an example. It is not the only reason why firewalls need to do the right thing with DNS. -rob
Attachment:
_bin
Description:
Current thread:
- Allowing DNS servers to operate behind NetScreen 500 Gebhart, Glenn (Feb 03)
- <Possible follow-ups>
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 03)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 13)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 04)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 Reckhard, Tobias (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 tqbf (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Paul D. Robertson (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 15)
- Re: DNS vs. Bernstein tqbf (Feb 15)
- Re: DNS and Firewalls Rob Payne (Feb 20)
- Re: DNS Extensions and Firewalls Thomas H. Ptacek (Feb 21)
- Re: DNS Extensions and Firewalls Frank Knobbe (Feb 22)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 Volker Tanger (Feb 17)
- Re: Allowing DNS servers to operate behind NetScreen 500 Mike Scher (Feb 17)
- Re: Allowing DNS servers to operate behind NetScreen 500 Chuck Swiger (Feb 17)
- Re: Allowing DNS servers to operate behind NetScreen 500 David Lang (Feb 18)