On Nov 20, 2003, at 2:00 PM, Ed Lewis wrote: > Are you suggesting that there is a way to put data in DNS and be able > to > rely on it for security? (The double negation is playing tricks with > my > head.)
No. I am saying that information in the DNS can be a useful hint about whether or not something is fraudulent in some cases, for some attacks. The threat model for spam and email viruses is that a very wide set of targets, chosen with no discrimination, are attacked with well-formed, forged messages. The attacker knows nothing about the victim. Large-scale forging of DNS records to facilitate such an attack is perhaps theoretically possible, but unlikely. And since the alternative to this protection mechanism is that the attack definitely succeeds, it's acceptable if the protection mechanism is not 100% reliable. > A lot of services have relied on matching forward and reverse records > for authenitcation of the client, but this is seen as weak. So much so > that the "in-addr required" draft can't state this as a reason that the > reverse map is important to have. When the degree of desired protection is 100%, and failure is a disaster, you are absolutely right. The degree of success that's needed here is not 100%, though, and failure is the status quo, so the analogy fails. . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
