ietf
[Top] [All Lists]

Re: Proposed DNSSEC Plenary Experiment for IETF 74

2008-11-28 16:21:21

In message 
<alpine(_dot_)LFD(_dot_)1(_dot_)10(_dot_)0811281438590(_dot_)7186(_at_)newtla(_dot_)xelerance(_dot_)com>,
 Paul Wout
ers writes:
On Fri, 28 Nov 2008, Andrew Sullivan wrote:

That said, I don't want to make light of the end-point problem, since
TSIG between a stub and a recursor isn't a trivial problem today
either.  Moreover, since end nodes in many environments get their
recursor's address(es) via DHCP, and since that path is pretty easy to
compromise, the whole edifice rests on a sandy foundation.
Nevertheless, I just want to be clear that having every end node in
the world doing RFC 4035-and-friends validation is not the only path
to useful DNSSEC.

It's worse. Before you can start validating on your own, or use some
trusted remote TSIG accessable resolver, you are likely to need
to accept some spoofs to get past the hotspot authentication.

        Which is something the IETF should be providing / promoting
        a standard alternative for.  At present normal protocol
        operations are being hijacked to do this.

        Browsers could then have a "HOTSPOT" button which just looked
        up this information, for example.

        Mark

Then you need prevent your browser from caching them too much (they
do fastflux protection), and your own potential resolver needs to
dump the answers once it has a real IP link to the real world.

I don't know of any method to both allow hotspot access and fully
use DNSSEC.

Paul
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf