Re: [fw-wiz] DNS Extensions and Firewalls

From: Thomas H. Ptacek (
Date: 02/21/03

  • Next message: Frank Knobbe: "Re: [fw-wiz] DNS Extensions and Firewalls"
    From: "Thomas H. Ptacek" <>
    To: Rob Payne <>
    Date: Fri, 21 Feb 2003 15:37:04 -0500

    [ clipped for context ]
    > I don't care about [useful]*.com until the root zone is signed to have
    > a verifiable chain of trust through com to [useful]*.com. EDNS0
    > solves real-world problems, as others have pointed out, and not

    DNS protocol discussions can spin out of control very quickly. Fortunately,
    what's really at issue is a simple point.

    Non-EDNS0, Non-DNSSEC servers constitute more than 70% of the installed base
    of DNS servers. At the present moment, DNSSEC servers don't solve any
    Internet-wide security problems. Somehow, despite the fact that we can cite
    large record sets from AOL or CNN, the entire Internet seems to be
    functioning just fine.

    The "real-world" problems tied to EDNS0 seem awfully abstract and
    subjective. "Why should DNS have to use TCP for large record sets?" I don't
    know. Why should SNMP have to use ASN.1? I'd love to never have to write BER
    code again. Unfortunately, the deployed system works. If "need to switch to
    TCP DNS" is a real argument, you need to quantify it. Name a customer that
    is being bitten by lack of EDNS0, and make a case for how much money they
    are losing.

    But this is all completely irrelevant to firewall implementers. EDNS0 is a
    new, peripheral extension to the core DNS protocols. What incentive do
    implementers have for embracing these extensions?

    As Mike Scher said in a previous post, many of these issues rapidly denature
    into the question of "why did DNS++ choose to change the semantics of the
    deployed DNS protocol, but maintain the same port?" These interoperability
    problems could largely have been avoided.

    Thomas H. Ptacek
    PS: I'm happy to move away from the Bernstein discussion. However, you
        don't make it easy with innuendo about "single developer projects".
        Despite "single developer status", djbdns is the second-most popular
        DNS implementation. Despite "single developer status", qmail is the
        second-most popular Unix SMTP implementation. Both projects, in
        massive use across the Internet, maintain amazing security track
        records, despite huge incentive to unseat them.
    PPS: I am, incidentally, curious about the experience you yourself have
         had shipping infrastructure software. Maybe this argument could be
         much more productive if we established that we shared a common
         experience evaluating and building networking software.
    firewall-wizards mailing list

    Relevant Pages

    • Re: Pointing a zone to dynDNS host?
      ... >> I want everything in the zone to ultimatley resolve to the ... I was hoping to achieve it through DNS so that it would work ... I don't see why the DNS protocol standards should ...
    • DNS holes
      ... It seems to me that the DNS protocol will always have holes for DNS ... Is there a way to completely protect against that? ... protect your users from DNS poisoning? ...
    • Re: how to catch DNS error?
      ... The ISP basically hijacked the domain resolve request in violation of the DNS protocol. ... advertisement in the error page. ...