[6bone] Request: two 6bone pTLAs

Paul Jakma paul at clubi.ie
Mon May 17 04:03:29 PDT 2004 

On Mon, 17 May 2004, Iljitsch van Beijnum wrote:

> I'll skip over the point that anycasting limits all of this to a
> subset of the whole internet. In 1997, Alternic did some of this
> poisoning. 

Yes, indeed - it was 1996 though i think.

> They were quite successful at poisoning caches all over the place
> rather than just at their own ISP. 

Right, but the hole alternic used is long closed. So they made use of 
a trivial hole and poisoned a significant number of nameservers.

> It's not very hard to get someone to ask for some DNS data for
> which you are authorative. This is especially easy with email, and
> sometimes just visiting a web site is enough.

Indeed. But if you truly authorative and we've arrived at your DNS
server via appropriate delegation, there's no reason not to believe
your answer. And BIND discards additional answers for which a server
is not authorative.

> Nobody is forcing anyone to USE this service. Any and all risks are
> only assumed by those who choose to use the service. As such, there
> is no reason not to run it just because it may be insecure. We
> *know* SMTP is insecure and still it's available all over the
> place.

"ah, but XYZ is insecure" is not an excuse to introduce another 
service with security problems.

Forcing to use the service: No, nobody would be forced to, but the 
WKA would not be as useful otherwise. How does a client who wants to 
use the WKA, but is security sensitive and does not want to use a 
global service discriminate between a locally routed WKA and the 
global one.

At least, at a minimum, introduce 2 of them, the second address being 
one which must never be advertised globally.

> Yes, they are much worse for 6to4 because a malicious relay gets to
> see ALL traffic and launch man in the middle attacks.

Well, the DNS WKA would have this problem too. But we're not 
discussing that problem, we're discussing cache poisoning - which 
6to4 doesnt have.
 
> I don't think my name is on the DNS guru list but I'm pretty sure
> this isn't an issue.

Sorry, I'd rather hear "this isnt an issue" from someone who /is/.

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
	warning: do not ever send email to spam at dishone.st
Fortune:
Zombie processess detected, machine is haunted.

More information about the 6bone mailing list