ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf] DNS spoofing at captive portals

2010-09-28 10:21:03
from [Phillip Hallam-Baker] [Permanent Link] 
The most frustrating part about DNSSEC is that trying to pin down what it is
and what it is not, what it is trying to do and what it is not is like
trying to nail jello to a wall.

Whenever an issue is raised with the DNSSEC protocol, someone immediately
shoots back the reply 'well we are not trying to solve that problem'. Which
is of course really easy when there is no clear statement of what real world
security issues that DNSSEC is trying to deal with.

Blocking one attack does not come close to justifying the cost of DNSSEC
deployment.


Is DLV a part of DNSSEC or not? I am not sure.

DLV is presented as being a stopgap, an interim measure to go away with full
DNSSEC deployment.

What I do know is that I want to use secure DNS in devices that are not
capable of performing public key cryptography. And even if every end point
device is capable of performing RSA2048 operations in acceptable time, I do
not want to push my trust management criteria out to my network endpoints.



On Tue, Sep 28, 2010 at 4:23 AM, Tony Finch <dot(_at_)dotat(_dot_)at> wrote:


On 28 Sep 2010, at 02:20, Phillip Hallam-Baker <hallam(_at_)gmail(_dot_)com> 
wrote:

On Mon, Sep 27, 2010 at 10:48 AM, Tony Finch < 
<dot(_at_)dotat(_dot_)at>dot(_at_)dotat(_dot_)at>wrote:


On Fri, 24 Sep 2010, Phillip Hallam-Baker wrote:


DNSSEC is a mechanism for establishing inter-domain trust. It is not an
appropriate technology for intra-domain trust.


Why not?



Because the root of trust for any enterprise is the enterprise itself. Not
ICANN.


DNSSEC does not require you to use only ICANN's trust anchor. You can also
use your enterprise trust anchor, so you can validate your enterprise DNS
independently of any third party.

(The keyassure work might make this approach to key distribution easier
than running an enterprise X.509 CA. DNSSEC also has the advantage of a
defined trust anchor rollover protocol.)

You can also use third party trust anchors such as the ISC's DLV.

Tony.
--
f.anthony.n.finch  <dot(_at_)dotat(_dot_)at>   
<http://dotat.at/>http://dotat.at/





-- 
Website: http://hallambaker.com/

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: US DoD and IPv6, Phillip Hallam-Baker
Next by Date:  RIM to Host IETF 81 in Quebec City, IETF Administrative Director
Previous by Thread:  Re: [ietf] DNS spoofing at captive portals, Tony Finch
Next by Thread:  Re: [ietf] DNS spoofing at captive portals, Mark Andrews
Indexes:  [Date] [Thread] [Top] [All Lists]