Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500

From: Rob Payne (
Date: 02/15/03

  • Next message: "Re: [fw-wiz] DNS vs. Bernstein"
    From: Rob Payne <>
    Date: Sat, 15 Feb 2003 15:31:21 -0500

    On Sat, Feb 15, 2003 at 09:03:14AM -0800, wrote:
    > > Tobias, is that some type of bait? DJB's ideas on the issue are quite
    > > well known, he thinks we should all go back to a hosts file and
    > > copying it from machine to machine. Are you using ``nym-based
    > > security'', currently? When are you going to start?
    > This is a ridiculous ad-hominem that has no relevance whatsoever to
    > Bernstein's actual position in the DNS security controversy.

    Thomas, that comment is ridiculously specious. I asked if Tobias was
    using nym-based security and then discussed why it is not practical.
    Are you, or more importantly is your employer, going to name systems
    using the a public key fingerprint? If you do, what happens to the
    credibility of the system when the name changes because a public key
    expired and needs to be changed? How about when a system is broken
    into and the key is compromised?

    This is a security list, everyone here should be willing to
    acknowledge that no systems are "perfectly secure." Given that, why
    would you use security that is based upon the false assumption that a
    key is never compromised?

    > At issue is whether any credible set of protocols and plans exists
    > to cryptographically secure DNS with a hierarchy of keys. Since
    > Vixie himself seems to have indicated that the DNSSEC protocols
    > Bernstein has refused to implement were a false start, don't you
    > feel a bit embarassed using them as an excuse to bash an implementor
    > on a public mailing list?

    I did nothing to bash any "implementor" on a public mailing list,
    certainly nothing to be embarassed about. As I said, Professor Dan's
    ideas on the subject are well-known. The only reason I mentioned him
    at all was to ask Tobias about the references he made to a web site
    regarding DJB. Your reference to Paul Vixie is a nearly direct quote
    from the same web pages and has absolutely no relevance. "Vixie," as
    you call him, made that statement in reference to 2535. The
    references I listed in my previous messages are aimed at replacing
    2535 in a way that fixes the problems that were found when
    implementing 2535.

    Let's take this a step farther, so no one feels this has anything to
    do with any DNS implementors. My point was that firewalls that block
    fragmented UDP packets used by EDNS are getting in the way of
    security. Let's ignore everything currently being done regarding
    DNSSEC by the IETF since anything regarding DNSSEC not said by
    Professor B. seems to be such a sensitive topic. Instead let's focus
    on any transaction that simply requires large DNS packets.

    For instance, a well-distributed set of name servers whose names have
    been created using nyms. If you take 13 hosts with names based upon
    SHA1 fingerprints, and use them as the name servers for a zone, you
    cannot transmit that DNS message in 512 datagrams. My original point
    still holds if the firewall blocks fragmented DNS.

    DNSSEC was an example. It is not the only reason why firewalls need
    to do the right thing with DNS.



    firewall-wizards mailing list