[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RAM] DNS usage in NERD

To: Roland Dobbins <rdobbins at cisco.com>
Subject: Re: [RAM] DNS usage in NERD
From: Eliot Lear <lear at cisco.com>
Date: Sat, 16 Jun 2007 12:47:23 +0100
Authentication-results: ams-dkim-2; header.From=lear@cisco.com; dkim=pass (s ig from cisco.com/amsdkim2001 verified; );
Cc: RJ Atkinson <rja at extremenetworks.com>, ram at iab.org
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=763; t=1181994450; x=1182858450; c=relaxed/simple; s=amsdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=lear@cisco.com; z=From:=20Eliot=20Lear=20<lear@cisco.com> |Subject:=20Re=3A=20[RAM]=20DNS=20usage=20in=20NERD |Sender:=20; bh=5+xVy44HiVjmjExhO+zlStFo4hfuh0ZJhW8pzCjYHyY=; b=RXDU68Bi0cbSMJIjmXx7TQqGSUeK0k4VEXwV5RNtAWZprTPT2igvLbqCGH1UtsE+m8uf3aKK fMrtFYve58tU8rwrfm2OYXQmCGlYk2DV1g129wOdBDitNk58882i7DdD;
In-reply-to: <E6AB85F0-CA95-4BF2-AC8F-5DEC598ACA13@cisco.com>
List-archive: <http://www1.ietf.org/pipermail/ram>
List-help: <mailto:ram-request@iab.org?subject=help>
List-id: Routing and Addressing Mailing List <ram.iab.org>
List-post: <mailto:ram@iab.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=unsubscribe>
References: <1733F2C0-324A-4C66-9904-F0B597271642@extremenetworks.com> <E6AB85F0-CA95-4BF2-AC8F-5DEC598ACA13@cisco.com>
User-agent: Thunderbird 2.0.0.0 (Macintosh/20070326)

Roland, Ran,

The *only* way to remove potential security issues associated
with DNS is to deploy DNS Security.  Period.
There's hardly consensus within the operational community surrounding the utility of DNSSEC, if that's what you're referring to, so assertions of this nature aren't really supportable.

Obviously you're both right. The way I see it, when we start to see real exploits we *probably* have a way to get around them, and operators might become more motivated to implement DNSSEC (regardless of whether NERD is deployed). But in this case, I would think the risk is limited to that of a denial of service, because the database and updates are signed. Perhaps a few words are in order in the draft?

Eliot

_______________________________________________
RAM mailing list
RAM at iab.org
https://www1.ietf.org/mailman/listinfo/ram

Follow-Ups:
- Re: [RAM] DNS usage in NERD
  - From: Roland Dobbins

References:
- [RAM] DNS usage in NERD
  - From: RJ Atkinson
- Re: [RAM] DNS usage in NERD
  - From: Roland Dobbins

Prev by Date: Re: [RAM] ViP: Anycast ITRs in the DFZ & mobile tunnels
Next by Date: [RAM] Ivip (was ViP ...)
Previous by thread: Re: [RAM] DNS usage in NERD
Next by thread: Re: [RAM] DNS usage in NERD
Index(es):
- Date
- Thread