> Mark Andrews wrote: > > >>DNSSEC is, socially, more dangerous than PODS, because DNSSEC gives > >>users false sense of security. > > > You already have to trust your parents to publish your > > delegating NS RRset. > > So, technically, DNSSEC is no worse but no better than PODS.
No. Can my ISP interfere without being detetected? PODS Yes. DNSSEC No. Can my neighbor spoof a reply without being detetected? PODS Yes. DNSSEC No. Can someone spoof a referral the have the answers from the servers in the spoofed referral be believed? PODS Yes. DNSSEC No. Can someone socially engineer a change in a TLD? PODS Yes. DNSSEC Yes. > >>That is, WG discussion on securing NXDOMAIN has been totally > >>meaningless. > > > That really depends on which persons you are attempting to > > prevent tampering from. > > Social implementations of DNSSEC may be (or, considering its complexity, > will always be) vulnerable to tampering from any person. > > > Which like most things to do with security is a matter of > > education. > > Quick upgrading of programs with open security holes is another, but > a lot easier, matter of education. Upgrading programs is also a matter of education. For that matter running a DNS server is a matter of education. The current DNSSEC is a very similar adminstration model to the current DNS adminstration model. There is minimal education involved. > So, if we are discussing security in the real world, let's never > assume that people are automagically educated to treat all the > complex aspects of DNSSEC operations properly. DNSSEC administration is not complex. DNS glue management is more complex than DNSSEC administration. It's just that DNSSEC is new that people believe that it is complex. > >>As I already posted, try to improve implementations to use TCP with > >>random sequence number and random port, which is not more > >>difficult than to improve caching behavior of implementations. > > > TCP only addresses one of the issues. > > Let's accept the reality that DNS operation is human and can not be > very secure. The DNS can be secured from a number of current threats. It can never be secured from all threats. That doesn't mean we should not secure it from the threats that we can secure it from. TCP, port randomisation, 0x20, EDNS PING etc. all leave gapping holes in the security model which are being exploited today. > Masataka Ohta -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
