[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RAM] (no subject)

To: ram at iab.org
Subject: [RAM] (no subject)
From: RJ Atkinson <rja at extremenetworks.com>
Date: Fri, 15 Jun 2007 17:24:09 -0400
List-archive: <http://www1.ietf.org/pipermail/ram>
List-help: <mailto:ram-request@iab.org?subject=help>
List-id: Routing and Addressing Mailing List <ram.iab.org>
List-post: <mailto:ram@iab.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=unsubscribe>

On Jun 15, 2007, at 6:52 AM, RJ Atkinson wrote:
>The *only* way to remove potential security issues associated
>with DNS is to deploy DNS Security.  Period.

Later, Roland Dobbins at cisco wrote:
% There's hardly consensus within the operational community
% surrounding the utility of DNSSEC, if that's what you're
% referring to, so assertions of this nature aren't really
% supportable.

Actually, the assertion is provable.  DNSsec is the *only*
mechanism available to provide cryptographic authentication
of DNS responses.  If someone wants to propose something else,
that is fine, but until some alternative mechanism is
defined and agreed upon then it really is the only option
available.

I realise that moving from the current totally un-authenticated
DNS to one where DNS is authenticated is far from being a
trivial exercise.  There is some operational pain in making
that transition.  I do know of a few organisations that have
made that transition successfully, not many, but there are some.
Even one deployment would be an existence proof and there are
more than one (not many, admittedly).  So it is possible, although
not painless.  (And I'm not discounting the pain. :-(

However, there is no other credible proposal on the table
for providing strong authentication to DNS responses.  And
the threats are real (and have been seen in the wild).
Further, those threats and vulnerabilities do apply to the
current deployed IPv4 Internet.

So my claim was carefully phrased.  I didn't say DNSsec was
easy or trivial to deploy.  I said it was the only way to
remove those security issues -- and my claim is indisputably
true at present.  Maybe later pixie dust will appear and
come up with some other mechanism; I'm not aware of anything
else today that can address the DNS security issues.

And if this exchange motivates someone here to come up with
something better than the IETF DNSsec standards, that isn't
a bad outcome either. :-)

Cheers,

Ran


_______________________________________________
RAM mailing list
RAM at iab.org
https://www1.ietf.org/mailman/listinfo/ram

Prev by Date: Re: [RAM] DNS usage in NERD
Next by Date: Re: [RAM] ViP: Anycast ITRs in the DFZ & mobile tunnels
Previous by thread: [RAM] (no subject)
Next by thread: [RAM] (no subject)
Index(es):
- Date
- Thread