[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RAM] DNS usage in NERD

To: ram at iab.org
Subject: Re: [RAM] DNS usage in NERD
From: Roland Dobbins <rdobbins at cisco.com>
Date: Sat, 16 Jun 2007 04:55:02 -0700
Authentication-results: rtp-dkim-2; header.From=rdobbins@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1272; t=1181994900; x=1182858900; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=rdobbins@cisco.com; z=From:=20Roland=20Dobbins=20<rdobbins@cisco.com> |Subject:=20Re=3A=20[RAM]=20DNS=20usage=20in=20NERD |Sender:=20 |To:=20ram@iab.org; bh=ynnLf3VLt4EkgSOikaeR1NsA91XN0j1pKwB0nhea97w=; b=ra+boCOnnHnFLbuOEvu9MP+3VjH7Wp5VW6IFus54CjKt6XEeJ3hRqefgefOojlIHWe123YjC h6YTKl2skfyIK1w5NRGgz3/aTjcTS2PPNIX4r2+jUkaXF/XdkZ2W+pto;
In-reply-to: <4673CDCB.4050805@cisco.com>
List-archive: <http://www1.ietf.org/pipermail/ram>
List-help: <mailto:ram-request@iab.org?subject=help>
List-id: Routing and Addressing Mailing List <ram.iab.org>
List-post: <mailto:ram@iab.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=unsubscribe>
References: <1733F2C0-324A-4C66-9904-F0B597271642@extremenetworks.com> <E6AB85F0-CA95-4BF2-AC8F-5DEC598ACA13@cisco.com> <4673CDCB.4050805@cisco.com>


On Jun 16, 2007, at 4:47 AM, Eliot Lear wrote:

The way I see it, when we start to see real exploits we *probably* have a way to get around them, and operators might become more motivated to implement DNSSEC (regardless of whether NERD is deployed).

I don't want to waste bandwidth here on the reasons that many believe that DNSSEC fails to solve a series of posited non-problems, but suffice it to say that DNSSEC isn't universally as providing useful security functionality, and furthermore, some believe it introduces problems of its own. For purposes of this discussion, let's stipulate that additional security mechanisms will probably be added to the DNS at some point in the future, at leave it at that.

But in this case, I would think the risk is limited to that of a denial of service, because the database and updates are signed. Perhaps a few words are in order in the draft?

A more thorough analysis would be useful, but that's my initial take, too.

----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

                   Equo ne credite, Teucri.

    		          -- Laocoön


_______________________________________________
RAM mailing list
RAM at iab.org
https://www1.ietf.org/mailman/listinfo/ram

References:
- [RAM] DNS usage in NERD
  - From: RJ Atkinson
- Re: [RAM] DNS usage in NERD
  - From: Roland Dobbins
- Re: [RAM] DNS usage in NERD
  - From: Eliot Lear

Prev by Date: [RAM] Ivip (was ViP ...)
Next by Date: Re: [RAM] Ivip (was ViP ...)
Previous by thread: Re: [RAM] DNS usage in NERD
Next by thread: Re: [RAM] DNS usage in NERD
Index(es):
- Date
- Thread