[6bone] Request: two 6bone pTLAs

Paul Jakma paul at clubi.ie
Sun May 16 15:25:08 PDT 2004


On Mon, 17 May 2004, Iljitsch van Beijnum wrote:

> Why would this be a problem for WKA resolvers more than for any
> other resolvers, and:

It is not a problem in the resolvers (if you mean WKA using clients).  
It is a problem in the DNS infrastructure.

> No need. You are at the mercy of the person running the resolver
> for anything that doesn't use strong authentication (such as SSL,
> IPsec and SSH, if used correctly).

There is currently no globally deployable security infrastructure for
DNS.
 
Damage at the moment is limited though, because recursive service at
the moment is usually only provided to a small subset of "clients" -
not the whole internet. Eg, the risk to $ISP is limited to evil
clients of $ISP, not to the whole internet. A WKA public recursive
DNS server would:

- be open to poisoning by $EVIL-CLIENTs on the whole internet

- the target audience of non-evil clients which would use this
service and hence potentially be given poisoned DNS replies would be
potentially the whole internet.

NB: Please ask DNS experts about DNS poison attacks.

> types of communication. If you want to be absolutely secure, you're
> going to have to expended a lot of time and money into that and be
> prepared to give up lots of stuff that can't be made secure (either
> inherently or in practice).

Well, the answer, allegedly, one day, is DNSSec and to have the root
zones signed and trust established from that point down. But that
will be a while. Until that day comes, I strongly feel that we should
not mandate DNS resolvers to potentially fall back to a very
exploitable public service.
 
> 6to4 is a perfect example of what I want to do with WKA DNS
> resolvers: 

Yes, I understand. The mechanics of the routing may be similar,
however the security implications are quite different.

The public recursive DNS servers located at WKA will be caching
lookups. If you can poison records cached by this public service, 
then all other clients querying it will get the poisoned records.

I feel that, unless there is reassurance from DNS gurus that
poisoning would not be a problem, there should _not_ be a public
service offering this.

> > Site local's are deprecated arent they?
> 
> Don't you watch horror movies? The monster always comes back after being
> killed the first time.  :-)

:)

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
	warning: do not ever send email to spam at dishone.st
Fortune:
"Zaphod grinned two manic grins, sauntered over to the bar 
and bought most of it." 

- Zaphod in paradise. 


More information about the 6bone mailing list