Mark Andrews wrote:
>>In theory, yes, in practice, only those who supply large RRs
>>requiring TCP (or EDNS) will suffer.
> Well we are there now. Lots of answers require EDNS and/or
> TCP and the DNS resolution has not fallen over.
OK. So, those who supply large RRs requiring TCP
This is not the case, but if so, why would you bootstrap a DNSSEC
enabled server using a non-DNSSEC forwarder?
You haven't been following along with the discussion. There may be
DNSSEC-aware authority zones and DNSSEC-aware stub resolvers that might
use DNSSEC-oblivious intermediate caches. Fo
On Mon, 18 Aug 2008, Jim Reid wrote:
> And why would these caching servers be signing anything? It's the
> master server that signs the zone.
I never said otherwise.
Ok, I agree that totally DNSSEC-oblivious servers won't be a problem for
DOS, but of course remain susceptible to poisoning even
On Sun, 17 Aug 2008, Paul Wouters wrote:
> On Sun, 17 Aug 2008, Dean Anderson wrote:
>
> > There are two more problems with this.
> >
> > First, Putting any kind of large record in the root creates the
> > opportunity to use root servers in a DOS attack by sending queries for
> > the large record
> Mark Andrews wrote:
>
> > RFC 4035 requires the upstream cache to be RFC 4035 aware.
>
> Thanks. As examplified by assumptions of RFC3225, that's a so
> unrealistic requirement that no further discussion on DNSSEC
> is necessary. PERIOD.
Given just about anyone can configure a val
Mark Andrews wrote:
> RFC 4035 requires the upstream cache to be RFC 4035 aware.
Thanks. As examplified by assumptions of RFC3225, that's a so
unrealistic requirement that no further discussion on DNSSEC
is necessary. PERIOD.
> And lack of TCP support will also break PODS responses a
On Sun, 17 Aug 2008, Ted Lemon wrote:
> On Aug 17, 2008, at 4:12 PM, Dean Anderson wrote:
> > Changing DNS protocol is considered by many to be expensive and risky.
> > Are you saying its not expensive or risky? That seems to be a far
> > more
> > bold assertion.
>
> Actually, you and Ohta-san
On Fri, Aug 15, 2008 at 4:51 PM, Paul Hoffman <[EMAIL PROTECTED]> wrote:
> security layers are good. If we don't give those people the right tools to
> properly configure and properly maintain those configurations, there will be
> stability issues, as I listed earlier.
Let me tell you something.
On Sun, Aug 17, 2008 at 8:23 PM, Jim Reid <[EMAIL PROTECTED]> wrote:
> I suspect you're talking about the absurdly hypothetical scenario where
> someone gets a non DNSSEC-aware resolving server to lookup some RRSIG, then
> the zone is resigned, then they ask that server for the QTYPE that the
> a
> Jim Reid wrote:
>
> > I suspect you're talking about the absurdly hypothetical scenario where
> > someone gets a non DNSSEC-aware resolving server to lookup some RRSIG,
>
> Suppose you are using DNSSEC-unaware caching forwarder shared by
> others including those who are using PODS, which i
Jim Reid wrote:
> I suspect you're talking about the absurdly hypothetical scenario where
> someone gets a non DNSSEC-aware resolving server to lookup some RRSIG,
Suppose you are using DNSSEC-unaware caching forwarder shared by
others including those who are using PODS, which is often the cas
On Sat, 16 Aug 2008, Ted Lemon wrote:
The hype surrounding the Kaminsky report is unjustified. For example,
one can't steal bank information with this attack, as the mainstream
press has reported.
This isn't true, because if I can convince you that a naive user that he or
she is talking to y
On Sun, 17 Aug 2008, Dean Anderson wrote:
There are two more problems with this.
First, Putting any kind of large record in the root creates the
opportunity to use root servers in a DOS attack by sending queries for
the large records to the root servers. Because of Root Anycasting, there
are ov
On 18 Aug 2008, at 00:43, Dean Anderson wrote:
First, Putting any kind of large record in the root creates the
opportunity to use root servers in a DOS attack by sending queries for
the large records to the root servers.
Well in that case we better not put anything into any DNS zone.
Because
On Fri, 15 Aug 2008, David Conrad wrote:
>
> Let me try to (hopefully) more clearly articulate my question: given
> the fact that caching servers only care about DNSSEC if they're
> explicitly configured to do so, does anyone anticipate any stability/
> security concerns to those folks who _h
On Aug 17, 2008, at 4:12 PM, Dean Anderson wrote:
Changing DNS protocol is considered by many to be expensive and risky.
Are you saying its not expensive or risky? That seems to be a far
more
bold assertion.
Actually, you and Ohta-san seem to be taking that position. That's
not "many."
On Sun, 17 Aug 2008, Ted Lemon wrote:
> On Aug 17, 2008, at 9:24 AM, Dean Anderson wrote:
> > Changing DNS doesn't eliminate the attack of misplaced trust. It
> > merely eliminates one method we know of for accomplishing the
> > attack, at great expense and great risk, I might add.
>
> You may no
> Mark Andrews wrote:
>
> >>Considering that two RRs each containing 2048 bit data will need
> >>oversized messages, they may not be properly treated by some
> >>servers.
> >>
> >>Those suffering from oversized messages may turn-off DNSSEC and there
> >> is instability for those moving with their
Masataka,
No, it won't. As David already pointed out, people not interested
won't
set the DO bit so won't ask for DNSSEC.
I'm talking about people who have, foolishly enough, interested in
DNSSEC and asked for DNSSEC information sometimes in vain.
If they have configured DNSSEC, then they
On Sun, 17 Aug 2008, Jaap Akkerhuis wrote:
>
> > Also, a well behavng resolver
> > has way less request to the root servers then to other servers.
>
> Why, do you think, that servers other than the root servers won't
> reply with oversized messages?
>
> Don't twist my wo
On Aug 17, 2008, at 9:24 AM, Dean Anderson wrote:
Changing DNS doesn't eliminate the attack of misplaced trust. It
merely
eliminates one method we know of for accomplishing the attack, at
great
expense and great risk, I might add.
You may not add that unless you are willing to justify the a
On Sat, 16 Aug 2008, Ted Lemon wrote:
> On Aug 16, 2008, at 9:35 PM, Dean Anderson wrote:
> > - If Mal cracks someone else's server, that server still doesn't have
> > the bank's certificate, and won't have the bank's dns domain, either.
> > So the browser should think that it got the wrong certif
> Also, a well behavng resolver
> has way less request to the root servers then to other servers.
Why, do you think, that servers other than the root servers won't
reply with oversized messages?
Don't twist my words. I never said that.
jaa
___
Jaap Akkerhuis wrote:
> > Given this, does anyone see any DNS security and/or stability concerns
> > if a miracle were to happen and the root were to be signed tomorrow?
>
> Well,it will introduce a lot of large RRs, which may cause problems.
>
> No, it won't. As David alr
> Given this, does anyone see any DNS security and/or stability concerns
> if a miracle were to happen and the root were to be signed tomorrow?
Well,it will introduce a lot of large RRs, which may cause problems.
No, it won't. As David already pointed out, people not intere
2008/8/15 David Conrad <[EMAIL PROTECTED]>:
> Hi,
>
> On Aug 15, 2008, at 9:15 AM, Ted Lemon wrote:
>>
>> But until we have root and .com signed, and until the average end-user is
>> protected by a validating resolver, we aren't done yet, and I don't really
>> get any actual benefit from my efforts
26 matches
Mail list logo