Re: [fw-wiz] DNS vs. Bernstein

From: tqbf@sockpuppet.org
Date: 02/15/03

Next message: Dave Mitchell: "Re: [fw-wiz] insecurity in internet connection thro cable modems"

Previous message: Rob Payne: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
In reply to: Rob Payne: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
Next in thread: Rob Payne: "Re: [fw-wiz] DNS and Firewalls"
Reply: Rob Payne: "Re: [fw-wiz] DNS and Firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: tqbf@sockpuppet.org
To: Rob Payne <rnspayne@the-paynes.com>
Date: Sat, 15 Feb 2003 14:20:30 -0800

[ arbitrary message clip for context ]
> Thomas, that comment is ridiculously specious. I asked if Tobias was
> using nym-based security and then discussed why it is not practical.

Rob, calling my comments ``specious'' doesn't make them specious. Neither
does conconcting straw-man arguments. Not only am I not stepping into this
discussion to defend ``nym-based security'', but you're intentionally
oversimplifying Bernstein's suggestion to make a fantasy argument even
easier to win. Let me assume that you're responding to my message in good
faith, and suggest that we're not going to come to a constructive
resolution by ignoring each other's arguments.

I want to point out that ``DNSSEC requirements'' are not a credible reason
to create hassles for firewall implementors. I think I have a good point
in my favor: until [useful]*.COM is signed, EDNS0 and DNSSEC don't solve
any real-world problems. You can say this is a chicken-and-egg problem
because middleboxes are keeping DNSSEC from being deployed. Unfortunately,
you'll have to contend with Vixie: ``it's impossible to know how many flag
days we'll have before it's safe to burn ROMs... 2353 is already dead''.

I think ``working code'' should come before attempts to build ``rough
consensus''.

You want to point out that DNSSEC is a more credible solution than
``nyms''. Fine: make a good-faith effort to take the idea of ``names are
linked to keys directly'' to its logical conclusion. Saying ``we should
all go back to a hosts file and copying it from machine to machine'' is
obviously not a good-faith effort: it assumes a ``nym-based system'' is
simply the idea that names embed links to their keys. No competant
engineer would consider that a real proposal. I don't suggest you are
incompetant.

I haven't taken much time to think about ``nym-based security'' (my
problem with DNSSEC ends at its presumptiousness and lack of real-world
deployment, long before we get to alternative suggestions). But, let me
tell you what I start thinking about when I think about when confronted
with this problem: names change when keys need to change, and we make it
easier to propagate name changes. We rely on systems whose keys don't
change often to act as signposts to link to systems who do. Have you
thought about any of this?

Of course, one of the reasons I haven't either is that we're talking about
DNS names that look like ``rkjhf934f.sockpuppet.org''. Don't you think
that the author of the second-most popular open-source DNS server on the
Internet understands this as well? Our normal assumptions about the role
of DNS go out the window in this environment. Clearly everyone understands
this.

So what point are you trying to make, again? That people shouldn't mention
Bernstein in discussions about DNS security?

---
Thomas H. Ptacek
PS: _You_ didn't mention Bernstein. Tobias did. Your response was
    dedicated to discussing him because you find his ``nym'' idea
    offensive.
PPS: Let's establish that we can take Vixie's quote from:
     http://groups.google.com/groups?selm=arhtjh%24ags3%241%40isrv4.isc.org
     
PPPS: Putting quotes around ``Vixie'' doesn't make it an epithet. Putting
      quotes around ``implementor'' does not make Bernstein less of one.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Dave Mitchell: "Re: [fw-wiz] insecurity in internet connection thro cable modems"
Previous message: Rob Payne: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
In reply to: Rob Payne: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
Next in thread: Rob Payne: "Re: [fw-wiz] DNS and Firewalls"
Reply: Rob Payne: "Re: [fw-wiz] DNS and Firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: FreeBSD 7.1 and BIND exploit
... script in periodic that will do all the magic to change keys every 30 ... No, you don't HAVE to generate keys every 30 days, but you should if you ... Someone needs to write a really good tutorial on dnssec. ... We have a DNS system that does not ...
(freebsd-stable)
RE: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500
... currently relevant reason for DNS responses to be over 512 bytes in size. ... to a 'proposed standard' RFC and mentioned only DNSSEC as an example, ... use nym-based security, since there isn't any software that supports it. ...
(Firewall-Wizards)
Re: FreeBSD 7.1 and BIND exploit
... The problem is that _using_ DNSSEC requires configuration changes in ... an annoyance DNSSEC is, a friend of mine who used to work at Nominum ... DNS, for most people, is expected to be a "simple thing". ... servers are separate. ...
(freebsd-stable)
Re: Rechtswirksamkeit von Mails
... solange hier Benutzern nicht vertraut ist, wie sie damit umzugehen ... DNSSEC bietet Dir eine zentrale und administrativ gepflegte Infrastruktur. ... Der Nutzer merkt davon genauso viel wie von bisherigem DNS. ...
(de.soc.recht.datennetze)
RE: recursive DNS servers DDoS as a growing DDoS problem
... Especially dangerous when it's DNS which runs virtually every function on ... The control point is there already, as has been demonstrated by several ... That must be avoided and the end-to-end capability of the Internet ... At least one TLD has DNSSEC in production, ...
(Bugtraq)