Re: [DNSOP] Cache poisoning on DNSSEC

Tue, 19 Aug 2008 07:53:14 -0700 

On Aug 19, 2008, at 6:40 AM, Masataka Ohta wrote:

So what? NAT at airport must be, unlike NATs in enterprises,
consumer friendly. Unlike highe end NAT, low end NAT won't
bother to interfere DNS.



Right.  Because low-end consumer gear is always so much better  
implemented than enterprise gear.



Cloud you please provide us, not your personal experience, but
an *EXHAUSTIVE*, or, at least exhaustive on high end, list on
varieties of NAT functionalities?


I'll get right on that.


Actually, on second thought, you seem to be the one asserting  
fundamentally broken behavior on the part of high end gear.  Shouldn't  
it be you that provides the data to back up your assertions?



Increase on the nameservers directly interacting authoritative
nameservers increases not only legitimate queries but also DDOS
queries.



You seem to be asserting that DDOS queries come from the same source  
as legitimate queries.  Can I see your data that backs up this  
statement?



Alternatively, we could move to a more distributed model of DNS

operations in which the caching servers that are doing DNSSEC  
cache  the
entire root zone, perhaps zone transferring the signed root zone   
from

some authoritative and trusted place.

Are you seriously saying that you actively want to have intermediate
caching servers between your laptop and authoritative servers?



No. I'm suggesting that if the root zone is signed, the root zone data  
can be obtained from places other than the root servers without  
concerns about data corruption and installed in caching servers  
(something quite a few folks already do, ignoring the risk of  
corrupted data).  This data can then be distributed out to the edge.   
This should address any concerns anyone might have with overloading  
the root servers.



Anyway, your approach is meaningless against "com.".




Due to the thrash in the COM zone, yes. Fortunately, I didn't suggest  
applying the distributed model to COM.



As the person who still understand the math of both, I can
authoritatively declare that DNSSEC is fundamentally broken,


Well, I guess that settles it then.  You don't have to turn on DNSSEC.


which you could have argue against 10 years ago but not now.



It's such a shame that computer processing technology for doing stuff  
like cryptography hasn't advanced in 10 years.


Regards,
-drc

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop





























					Reply via email to