Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500

From: Rob Payne (
Date: 02/15/03

  • Next message: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
    From: Rob Payne <>
    To: "Reckhard, Tobias" <>
    Date: Fri, 14 Feb 2003 22:10:43 -0500

    On Fri, Feb 14, 2003 at 08:58:41AM +0100, Reckhard, Tobias wrote:
    > > On Thursday, February 13, 2003 3:39 AM, Rob Payne
    > [] wrote:
    > >
    > > Nothing personal to anyone, but a lot of firewalls really need to get
    > > these kinds of things right. If they do not, firewalls are going to
    > > get in the way of (DNS) security when zones start getting signed.
    > > (Rhetorical: Has anyone attempted to fit current DNS data plus
    > > RSA/SHA1 keys and signatures in packets 512 datagrams long?)
    > The question is when will DNS RRs ever get signed, if at all. The sheer
    > amount of queries and number of records being requested, as well as the
    > tremendous increase in payload due to signatures appears to create very
    > real, practical problems. See and

    Tobias, is that some type of bait? DJB's ideas on the issue are quite
    well known, he thinks we should all go back to a hosts file and
    copying it from machine to machine. Are you using ``nym-based
    security'', currently? When are you going to start?

    Well, to get an answer on that, you might have to talk to some other
    than DJB, who has no practical experience if he thinks you can rename
    your machines every time you change keys. From the forgery.html page
    you referenced, ``The idea is simply to give each computer a name that
    includes the computer's nym, a fingerprint of the computer's public

    Keys need to expire, be revoked, replaced, etc. in a real world crypto
    setting. Computer names cannot change every time a key expires. If
    anyone goes with his nym-based security scheme, they will begin to
    keep the same keys forever, thus defeating the advantage of the key in
    the first place.

    Assuming your question was not meant to be inflammatory, but that you
    really wanted an answer, here goes.

    There are operational zones currently being signed. In fact, there
    was a proposal at IETF 56, (11/2002 in Atlanta,) to begin signing of
    the root zone

    Most of the TLD's are already participating in signed test beds
    (operationally signing their zones.) The real problem zones, in terms
    of signing are .nl and .com, because of the zone sizes. There are
    drafts being discussed that address the concerns of signing these

    If that does not sufficiently answer your question, I would be happy
    to provide you with any additional information that I can.



    firewall-wizards mailing list