Stephane Bortzmeyer wrote:
It seems that DNS over SCTP would solve 90% of the problems with 10%
of the efforts and resources required to implement DNSSEC. However,
I hear more often about the latter than the former. How come?
I've read this message via the IETF general mailing list and
On Thu, May 28, 2009 at 04:16:31PM +0200,
Alessandro Vesely wrote
a message of 14 lines which said:
> The discussion was about how to get rid of the threats illustrated,
> e.g., in Kaminsky, D.: "It?s the end of the cache as we know it."
I know about Kaminsky bug, the WG "DNS operations" a
Stephane Bortzmeyer wrote:
On Thu, May 28, 2009 at 04:16:31PM +0200,
Alessandro Vesely wrote
a message of 14 lines which said:
The discussion was about how to get rid of the threats illustrated,
e.g., in Kaminsky, D.: "It?s the end of the cache as we know it."
I know about Kaminsky bug
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf
On Thu, 28 May 2009, Alessandro Vesely wrote:
The limitations in TCP or SCTP security stem from
transport security is pretty meaningless in the DNS world which operates
using a distributed caching system. This is why dnscurve is just an
academic experient that can never leave the lab for the r
ng every DNSSEC server to support DNS
over SCTP.
Regards,
-drc
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf
t DNSSEC deployed than it would be to get every
router/firewall/NAT manufacturer and network operator to support/
deploy SCTP, not to mention getting every DNSSEC server to support
DNS over SCTP.
While TCP represents a possible fall-back method whenever UDP
overflows, TCP is not assured
S0 over UDP. Deploying DNS on SCTP
should be possible in parallel with the DNSSEC effort.
I have no objection to anyone proposing DNS over SCTP and would agree
there are benefits. I am simply saying that channel security (such as
DNS over SCTP) does not actually protect what matters, the data th
Douglas Otis wrote:
> While DNSSEC may protect against data corruption,
So does TCP, UDP or SCTP checksum.
A problem is that such protection does not valid over a chain of
certificate authorities or caching servers.
> such protection
> depends upon the thorny problem of verifying a key wi
Paul Wouters wrote:
On Thu, 28 May 2009, Alessandro Vesely wrote:
The limitations in TCP or SCTP security stem from
transport security is pretty meaningless in the DNS world which operates
using a distributed caching system.
One has to trust each cache! Given that it is pretty easy to predi
David Conrad wrote:
However, pragmatically speaking, I suspect it is going to be much, much
easier to get DNSSEC deployed than it would be to get every
router/firewall/NAT manufacturer and network operator to support/deploy
SCTP, not to mention getting every DNSSEC server to support DNS over
to mention getting every DNSSEC server to support
DNS over SCTP.
Shouldn't be difficult. I'm not much into either technology, but
since SCTP can be tunneled through UDP, it should be possible to
retrofit SCTP adoption onto an existing DNS implementation. On an OS
that pro
On Fri, 29 May 2009, Alessandro Vesely wrote:
transport security is pretty meaningless in the DNS world which operates
using a distributed caching system.
One has to trust each cache!
Your solution to protect the DNS is "just trust everyone"?
Given that it is pretty easy to predict a subset
e inserted between the DNS daemon and
its UDP sockets may operate the UDP/SCTP conversion when the remote
hosts support it.
=> I don't understand your argument: it seems to apply to UDP over SCTP
but here we have SCTP over UDP. BTW the easiest way to convert DNS over
UDP into DNS over
Alessandro,
On May 29, 2009, at 12:09 AM, Alessandro Vesely wrote:
One has to trust each cache!
With DNSSEC, you don't have to trust the cache since the only thing
the miscreants who compromise the cache can do is the functional
equivalent of removing the entry from the cache.
Given that
Dean Anderson wrote:
TCP is used by many, if not all, resolvers to get large responses.
And I'm working on changes to DJBDNS dnscache that enable a
configuration option to use TCP by default and fall back to UDP if TCP
is not available.
As that would increase security, I imagine that many op
David Conrad wrote:
Given that it is pretty easy to predict a subset of the queries a
given server will issue in a give time frame, using SCTP can improve
reliability better than adding another 32bit random number.
1) It isn't easy
What did your mail server look up after receiving this messa
On Fri, 29 May 2009, Alessandro Vesely wrote:
It's what the patch has reinforced. SCTP is more secure than the patched
bind, yet easier than DNSSEC.
where easier means "update all the root and TLD servers and load balancers
and what not to support DNS over SCTP. While DNSSEC is
On Fri, 29 May 2009, Masataka Ohta wrote:
Though there seems to be some confusion that DNSSEC security were
end to end
It is.
, below is an excerpt from an authentic document by David
Clark on how PKI, including DNSSEC, involves certificate authorities
DNSSEC involves no certificates and n
Paul Wouters wrote:
> DNSSEC involves no certificates and no certificate authorities. You know
> this.
As is documented in the paper of David Clark;
http://portal.acm.org/citation.cfm?doid=383034.383037
These certificates are principal components of essentially all
public key schemes, e
In message <4a20539e.3070...@necom830.hpcl.titech.ac.jp>, Masataka Ohta writes:
> Paul Wouters wrote:
>
> > DNSSEC involves no certificates and no certificate authorities. You know
> > this.
>
> As is documented in the paper of David Clark;
>
>http://portal.acm.org/citation.cfm?doid=383034.
Dean Anderson wrote:
> The dispute on 'certificate' is over the definition of what
> 'certificate' means.
As I used the word 'certificate' with a reference, there is no
point to argue against me with terminology different from the
refereed paper.
Anyway, the definition of 'certificate' does not
On May 29, 2009, at 7:33 AM, Francis Dupont wrote:
I don't understand your argument: it seems to apply to UDP over SCTP
but here we have SCTP over UDP. BTW the easiest way to convert DNS
over UDP into DNS over SCTP is to use an ALG (application layer
gateway) which in the DNS is kno
Paul Wouters wrote:
On Fri, 29 May 2009, Alessandro Vesely wrote:
It's what the patch has reinforced. SCTP is more secure than the
patched bind, yet easier than DNSSEC.
where easier means "update all the root and TLD servers and load balancers
and what not to support DNS over S
In your previous mail you wrote:
=> I keep this because your answer is not about this...
> I don't understand your argument: it seems to apply to UDP over SCTP
> but here we have SCTP over UDP. BTW the easiest way to convert DNS
> over UDP into DNS over SCTP
This is a common misconception. DNS over SCTP will not solve 90% of the
problems!
On Thu, May 28, 2009 at 10:16 AM, Alessandro Vesely wrote:
> Stephane Bortzmeyer wrote:
>
>> It seems that DNS over SCTP would solve 90% of the problems with 10%
>>> of the efforts and
AJ Jaghori wrote:
This is a common misconception. DNS over SCTP will not solve 90% of the
problems!
Why?
Attackers are able to guess what DNS queries an SMTP server would put
as a consequence of a client connection. Even after the Kaminsky fix,
that leaves room for brute force attacks. If
DNS more robust, use of SCTP
is likely to remain just a good and under appreciated option.
It seems that DNS over SCTP would solve 90% of the problems with 10%
of the efforts and resources required to implement DNSSEC. However, I
hear more often about the latter than
oyment issues, like everything
which was invented after Jon Postel's death.
> It seems that DNS over SCTP would solve 90% of the problems with 10%
> of the efforts and resources required to implement DNSSEC. However,
> I hear more often about the latter than the former. How come?
I'
o.
That's, AFAIK, the only advantage of TCP over SCTP: it's already in
place and ready. (Yes, one needs to run firewalls and all that stuff.)
=> this is not a new idea but today no server or resolver implementation
supports DNS over SCTP.
I have a lot of sympathy for SCTP but for
30 matches
Mail list logo
