Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500

From: Rob Payne (rnspayne@the-paynes.com)
Date: 02/15/03

  • Next message: tqbf@sockpuppet.org: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
    From: Rob Payne <rnspayne@the-paynes.com>
    To: "Reckhard, Tobias" <tobias.reckhard@secunet.com>
    Date: Fri, 14 Feb 2003 22:10:43 -0500
    

    On Fri, Feb 14, 2003 at 08:58:41AM +0100, Reckhard, Tobias wrote:
    > > On Thursday, February 13, 2003 3:39 AM, Rob Payne
    > [mailto:rnspayne@the-paynes.com] wrote:
    > >
    > > Nothing personal to anyone, but a lot of firewalls really need to get
    > > these kinds of things right. If they do not, firewalls are going to
    > > get in the way of (DNS) security when zones start getting signed.
    > > (Rhetorical: Has anyone attempted to fit current DNS data plus
    > > RSA/SHA1 keys and signatures in packets 512 datagrams long?)
    >
    > The question is when will DNS RRs ever get signed, if at all. The sheer
    > amount of queries and number of records being requested, as well as the
    > tremendous increase in payload due to signatures appears to create very
    > real, practical problems. See http://cr.yp.to/djbdns/forgery.html and
    > http://cr.yp.to/talks/2003dnssec.pdf.

    Tobias, is that some type of bait? DJB's ideas on the issue are quite
    well known, he thinks we should all go back to a hosts file and
    copying it from machine to machine. Are you using ``nym-based
    security'', currently? When are you going to start?

    Well, to get an answer on that, you might have to talk to some other
    than DJB, who has no practical experience if he thinks you can rename
    your machines every time you change keys. From the forgery.html page
    you referenced, ``The idea is simply to give each computer a name that
    includes the computer's nym, a fingerprint of the computer's public
    key.''

    Keys need to expire, be revoked, replaced, etc. in a real world crypto
    setting. Computer names cannot change every time a key expires. If
    anyone goes with his nym-based security scheme, they will begin to
    keep the same keys forever, thus defeating the advantage of the key in
    the first place.

    Assuming your question was not meant to be inflammatory, but that you
    really wanted an answer, here goes.

    There are operational zones currently being signed. In fact, there
    was a proposal at IETF 56, (11/2002 in Atlanta,) to begin signing of
    the root zone
    (http://www.ietf.org/internet-drafts/draft-ihren-dnsop-interim-signed-root-00.txt).

    Most of the TLD's are already participating in signed test beds
    (operationally signing their zones.) The real problem zones, in terms
    of signing are .nl and .com, because of the zone sizes. There are
    drafts being discussed that address the concerns of signing these
    zones.
    (http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-opt-in-04.txt)

    If that does not sufficiently answer your question, I would be happy
    to provide you with any additional information that I can.

                                     -rob

    
    

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards




    Relevant Pages

    • BIND 9.7.2b1 is now available.
      ... BIND 9.7.2b1 is now available. ... The PGP signature of the binary kit for Windows XP and Window 2003 is at ... Zone configuration information for the new zones ... current managed keys combined with trusted keys. ...
      (comp.protocols.dns.bind)
    • Re: Site replication problem due to DNS Lookup failure.
      ... The Zones are AD Integrated. ... No Firewalls or any other devices on path. ... >> Site A. Repmon comes up with the DNS Lookup failure. ... > Infinite Diversities in Infinite Combinations. ...
      (microsoft.public.win2000.dns)
    • Re: DNSSEC
      ... Or do you use the same keys for all zones? ... Some people may just decide not to bother signing reverse ... so you can do things like put SSHFP records on them. ...
      (comp.protocols.dns.bind)
    • Re: ISC BIND 9.7.0b1 is now available
      ... How many 5011-maintained zones are you running? ... I would expect the result of this to be that keys are not properly updated ... I'll have to look closer. ... Evan Hunt -- each@xxxxxxx ...
      (comp.protocols.dns.bind)
    • DNSSEC
      ... Do you just sign with one pair of keys for all zones? ... Gary L. Paveza, Jr. ... Beaver Valley Road Wilmington Delaware 19803 ...
      (comp.protocols.dns.bind)