Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500

• Previous message: Noonan, Wesley: "RE: [fw-wiz] insecurity in internet connection thro cable modems"
• In reply to: tqbf@sockpuppet.org: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
• Next in thread: tqbf@sockpuppet.org: "Re: [fw-wiz] DNS vs. Bernstein"
• Reply: tqbf@sockpuppet.org: "Re: [fw-wiz] DNS vs. Bernstein"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Rob Payne <rnspayne@the-paynes.com>
To: tqbf@pobox.com
Date: Sat, 15 Feb 2003 15:31:21 -0500

On Sat, Feb 15, 2003 at 09:03:14AM -0800, tqbf@sockpuppet.org wrote:
> > Tobias, is that some type of bait? DJB's ideas on the issue are quite
> > well known, he thinks we should all go back to a hosts file and
> > copying it from machine to machine. Are you using ``nym-based
> > security'', currently? When are you going to start?
>
> This is a ridiculous ad-hominem that has no relevance whatsoever to
> Bernstein's actual position in the DNS security controversy.

Thomas, that comment is ridiculously specious. I asked if Tobias was
using nym-based security and then discussed why it is not practical.
Are you, or more importantly is your employer, going to name systems
using the a public key fingerprint? If you do, what happens to the
credibility of the system when the name changes because a public key
expired and needs to be changed? How about when a system is broken
into and the key is compromised?

This is a security list, everyone here should be willing to
acknowledge that no systems are "perfectly secure." Given that, why
would you use security that is based upon the false assumption that a
key is never compromised?

> At issue is whether any credible set of protocols and plans exists
> to cryptographically secure DNS with a hierarchy of keys. Since
> Vixie himself seems to have indicated that the DNSSEC protocols
> Bernstein has refused to implement were a false start, don't you
> feel a bit embarassed using them as an excuse to bash an implementor
> on a public mailing list?

I did nothing to bash any "implementor" on a public mailing list,
certainly nothing to be embarassed about. As I said, Professor Dan's
ideas on the subject are well-known. The only reason I mentioned him
at all was to ask Tobias about the references he made to a web site
regarding DJB. Your reference to Paul Vixie is a nearly direct quote
from the same web pages and has absolutely no relevance. "Vixie," as
you call him, made that statement in reference to 2535. The
references I listed in my previous messages are aimed at replacing
2535 in a way that fixes the problems that were found when
implementing 2535.

Let's take this a step farther, so no one feels this has anything to
do with any DNS implementors. My point was that firewalls that block
fragmented UDP packets used by EDNS are getting in the way of
security. Let's ignore everything currently being done regarding
DNSSEC by the IETF since anything regarding DNSSEC not said by
Professor B. seems to be such a sensitive topic. Instead let's focus
on any transaction that simply requires large DNS packets.

For instance, a well-distributed set of name servers whose names have
been created using nyms. If you take 13 hosts with names based upon
SHA1 fingerprints, and use them as the name servers for a zone, you
cannot transmit that DNS message in 512 datagrams. My original point
still holds if the firewall blocks fragmented DNS.

DNSSEC was an example. It is not the only reason why firewalls need
to do the right thing with DNS.

                                 -rob

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• application/pgp-signature attachment: stored

• Next message: tqbf@sockpuppet.org: "Re: [fw-wiz] DNS vs. Bernstein"
• Previous message: Noonan, Wesley: "RE: [fw-wiz] insecurity in internet connection thro cable modems"
• In reply to: tqbf@sockpuppet.org: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
• Next in thread: tqbf@sockpuppet.org: "Re: [fw-wiz] DNS vs. Bernstein"
• Reply: tqbf@sockpuppet.org: "Re: [fw-wiz] DNS vs. Bernstein"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Getting around DNS security hole ... find out if your ISP has a DNS security problem. ... basic Internet address system, known as the Domain Name System, is ... (soc.retirement) Re: Event ID 5719: No Windows NT or Windows 2000 Domain Controller is available for domain . ... In my experience what you have done with security policy should ... The workstation gets its networking information from DHCP that, ... updates DNS. ... I don't believe the problem to be at the server end though. ... (microsoft.public.win2000.security) [NT] Vulnerability in DNS Client Allows Spoofing (MS08-020) ... Get your security news from a reliable source. ... Vulnerability in DNS Client Allows Spoofing ... This security update resolves a privately reported vulnerability. ... This is an important security update for Windows Vista and all supported ... (Securiteam) RE: 2 users 1 workstation ... I first checked the DNS forward look up, ... Updated the registry keys for the clients and security policies, ... Migrate-- strBat - [C:\Program Files\Microsoft Windows Small Business ... what it is (i created most of the user accounts of the same way, ... (microsoft.public.windows.server.sbs) Re: AD/DNS with NAT ... Datacenters host servers as Domain Controllers AD2003, DNS, Exchange ... sites with the Net ID they use and how they are connected (VPN, ... every small offices to use NAT in order to keep the private IP range ... Forget Firewalls and forget NAT. ... (microsoft.public.windows.server.networking)