Re: Securing DNS Re: IAB statement on the RPKI.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 18 Feb 2010, Phillip Hallam-Baker wrote:

The key point is choice. Just as some people CHOOSE to install
products such as Norton Anti-Virus that stop certain applications
running on their machine, the typical Internet user should probably
CHOOSE to use a DNS service that has the known crimeware sites
eliminated.

Should they also CHOOSE for a porn filter. And a filter on politically
sensitive words? Where does our job end to let the user CHOOSE their
censorship? And again, you make it sound like DNSSEC is taking away that
choice, which is clearly not the case.

The point is that the particular obsession with 'end to end' solutions
means that we loose the ability to deploy architectures that provide
greater protection against the attacks that actually matter.

It prevents hacking the protocol (for good AND for evil). And that is
a good thing.

DNS hijacking is a very rare type of attack.

No it is not. It depends on your environment. I'll grant you that its
more likely you'll end up on a phising side then caught in a DNS spoof,
but that does not validate your opinion of not rolling out stronger
security just so people can play games with protocols.

And as Mark showed, there are legitimate ways of piggypacking filtering
services with DNS using EDNS options.

Securing the mapping of
DNS names to IP addresses will not provide a major reduction in
expected losses due to attacks.

It will greatly improve security by providing a hierarchical distributed
signed database. You will see many new applications leveling this new option.

We already have domain validated SSL
certificates that meet that need quite adequately.

You haven't been around in the last year? When we had SSL attack after SSL
attack? A 2 second email verification for a "valid for the entire world"
certificate is not what I would call "quite adequately".

The value in DNSSEC lies in being able to establish a coherent network
based system of security policy distribution.

Sorry, I am not sure what this means. But if it is another application of
distributed signed data, then yes, it is another case for the adoption of
DNSSEC, not for critisism that it would block some filtering technique,
which it doesn't)

Paul
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]