ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Securing DNS Re: IAB statement on the RPKI.

2010-02-18 20:00:24
from [Paul Wouters] [Permanent Link] 
On Thu, 18 Feb 2010, Phillip Hallam-Baker wrote:


The key point is choice. Just as some people CHOOSE to install
products such as Norton Anti-Virus that stop certain applications
running on their machine, the typical Internet user should probably
CHOOSE to use a DNS service that has the known crimeware sites
eliminated.


Should they also CHOOSE for a porn filter. And a filter on politically
sensitive words? Where does our job end to let the user CHOOSE their
censorship? And again, you make it sound like DNSSEC is taking away that
choice, which is clearly not the case.


The point is that the particular obsession with 'end to end' solutions
means that we loose the ability to deploy architectures that provide
greater protection against the attacks that actually matter.


It prevents hacking the protocol (for good AND for evil). And that is
a good thing.


DNS hijacking is a very rare type of attack.


No it is not. It depends on your environment. I'll grant you that its
more likely you'll end up on a phising side then caught in a DNS spoof,
but that does not validate your opinion of not rolling out stronger
security just so people can play games with protocols.

And as Mark showed, there are legitimate ways of piggypacking filtering
services with DNS using EDNS options.


Securing the mapping of
DNS names to IP addresses will not provide a major reduction in
expected losses due to attacks.


It will greatly improve security by providing a hierarchical distributed
signed database. You will see many new applications leveling this new option.


We already have domain validated SSL
certificates that meet that need quite adequately.


You haven't been around in the last year? When we had SSL attack after SSL
attack? A 2 second email verification for a "valid for the entire world"
certificate is not what I would call "quite adequately".


The value in DNSSEC lies in being able to establish a coherent network
based system of security policy distribution.


Sorry, I am not sure what this means. But if it is another application of
distributed signed data, then yes, it is another case for the adoption of
DNSSEC, not for critisism that it would block some filtering technique,
which it doesn't)

Paul
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Securing DNS Re: IAB statement on the RPKI., Mark Andrews
Next by Date:  Re: IAB statement on the RPKI., Joe Baptista
Previous by Thread:  Re: Securing DNS Re: IAB statement on the RPKI., Phillip Hallam-Baker
Next by Thread:  Re: Securing DNS Re: IAB statement on the RPKI., Phillip Hallam-Baker
Indexes:  [Date] [Thread] [Top] [All Lists]