To:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, Brad Knowles <brad.knowles@skynet.be>
Cc:
Mark.Andrews@isc.org, namedroppers@ops.ietf.org, dnsop@cafax.se, dnssec@cafax.se
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Sat, 20 Jul 2002 22:42:12 +0200
In-Reply-To:
<200207202005.FAA07398@necom830.hpcl.titech.ac.jp>
Sender:
owner-dnsop@cafax.se
Subject:
Re: dnssec discussion today at noon
At 5:05 AM +0859 2002/07/21, Masataka Ohta wrote: >> They are subject to replay attacks. > > PAP is, CHAP is not. Authentication != encryption. Moreover, as I said before, this is just one piece of the security puzzle, and using CHAP does not preclude using other technologies as well. > In addition, you should know that cache poisoning of DNS is > prevented simply by having separate cache for each referral > point, which has nothing to do with cryptography but can be > understood with basic knowledge on computer security. I believe that we could make nameservers much more resistant to cache-poisoning attacks simply be separating authoritative service from caching service, either by putting them on separate machines, or running them in separate instances of the nameserver software. I believe that we should work towards this goal. Yes, you could use PKC to help solve the cache poisoning problem, but there are other methods you can also pursue, and I do not believe that pursuing one method necessarily precludes also using other methods. However, using PKC allows us to do a lot more things than we could think of doing before, because we would now have externally provable non-repudiation, among other things. For example, we could use PKC at the DNS level to help us reliably implement a PKI on top of the DNS, which might be useable for things other than the DNS itself. > We can not be responsible for the stupidity of someone who use > DNSSEC to secure billion dollar transactions. They would not be using DNSSEC as their sole method of securing the transactions. However, without DNSSEC there is a critical piece of the puzzle that they are unable to secure by themselves, thus leaving themselves more vulnerable. People in this situation need help in securing this part of the picture, and so far the only method that looks even potentially suitable is DNSSEC. This is the cornerstone of all future business on the Internet. It is a critical component to the security of the entire Internet, one that might let us get one more step away from the reality painted by KC Claffy at <http://www.caida.org/outreach/presentations/dns0701/mgp00003.html>. Why are you so violently opposed to progress? -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania.