Re: [fw-wiz] DNS Extensions and Firewalls
From: Thomas H. Ptacek (tqbf@pobox.com)
Date: 02/21/03
- Previous message: LE CORVIC Y InfoEdpEtcDep: "[fw-wiz] VPN Gateway And Nat"
- In reply to: Rob Payne: "Re: [fw-wiz] DNS and Firewalls"
- Next in thread: Frank Knobbe: "Re: [fw-wiz] DNS Extensions and Firewalls"
- Reply: Frank Knobbe: "Re: [fw-wiz] DNS Extensions and Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Thomas H. Ptacek" <tqbf@pobox.com> To: Rob Payne <rnspayne@the-paynes.com> Date: Fri, 21 Feb 2003 15:37:04 -0500
[ clipped for context ]
> I don't care about [useful]*.com until the root zone is signed to have
> a verifiable chain of trust through com to [useful]*.com. EDNS0
> solves real-world problems, as others have pointed out, and not
DNS protocol discussions can spin out of control very quickly. Fortunately,
what's really at issue is a simple point.
Non-EDNS0, Non-DNSSEC servers constitute more than 70% of the installed base
of DNS servers. At the present moment, DNSSEC servers don't solve any
Internet-wide security problems. Somehow, despite the fact that we can cite
large record sets from AOL or CNN, the entire Internet seems to be
functioning just fine.
The "real-world" problems tied to EDNS0 seem awfully abstract and
subjective. "Why should DNS have to use TCP for large record sets?" I don't
know. Why should SNMP have to use ASN.1? I'd love to never have to write BER
code again. Unfortunately, the deployed system works. If "need to switch to
TCP DNS" is a real argument, you need to quantify it. Name a customer that
is being bitten by lack of EDNS0, and make a case for how much money they
are losing.
But this is all completely irrelevant to firewall implementers. EDNS0 is a
new, peripheral extension to the core DNS protocols. What incentive do
implementers have for embracing these extensions?
As Mike Scher said in a previous post, many of these issues rapidly denature
into the question of "why did DNS++ choose to change the semantics of the
deployed DNS protocol, but maintain the same port?" These interoperability
problems could largely have been avoided.
---
Thomas H. Ptacek
PS: I'm happy to move away from the Bernstein discussion. However, you
don't make it easy with innuendo about "single developer projects".
Despite "single developer status", djbdns is the second-most popular
DNS implementation. Despite "single developer status", qmail is the
second-most popular Unix SMTP implementation. Both projects, in
massive use across the Internet, maintain amazing security track
records, despite huge incentive to unseat them.
PPS: I am, incidentally, curious about the experience you yourself have
had shipping infrastructure software. Maybe this argument could be
much more productive if we established that we shared a common
experience evaluating and building networking software.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Frank Knobbe: "Re: [fw-wiz] DNS Extensions and Firewalls"
- Previous message: LE CORVIC Y InfoEdpEtcDep: "[fw-wiz] VPN Gateway And Nat"
- In reply to: Rob Payne: "Re: [fw-wiz] DNS and Firewalls"
- Next in thread: Frank Knobbe: "Re: [fw-wiz] DNS Extensions and Firewalls"
- Reply: Frank Knobbe: "Re: [fw-wiz] DNS Extensions and Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
