To:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, Brad Knowles <brad.knowles@skynet.be>
Cc:
Mark.Andrews@isc.org, namedroppers@ops.ietf.org, dnsop@cafax.se, dnssec@cafax.se
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Sat, 20 Jul 2002 22:42:12 +0200
In-Reply-To:
<200207202005.FAA07398@necom830.hpcl.titech.ac.jp>
Sender:
owner-dnsop@cafax.se
Subject:
Re: dnssec discussion today at noon
At 5:05 AM +0859 2002/07/21, Masataka Ohta wrote:
>> They are subject to replay attacks.
>
> PAP is, CHAP is not.
Authentication != encryption. Moreover, as I said before, this
is just one piece of the security puzzle, and using CHAP does not
preclude using other technologies as well.
> In addition, you should know that cache poisoning of DNS is
> prevented simply by having separate cache for each referral
> point, which has nothing to do with cryptography but can be
> understood with basic knowledge on computer security.
I believe that we could make nameservers much more resistant to
cache-poisoning attacks simply be separating authoritative service
from caching service, either by putting them on separate machines, or
running them in separate instances of the nameserver software. I
believe that we should work towards this goal.
Yes, you could use PKC to help solve the cache poisoning problem,
but there are other methods you can also pursue, and I do not believe
that pursuing one method necessarily precludes also using other
methods.
However, using PKC allows us to do a lot more things than we
could think of doing before, because we would now have externally
provable non-repudiation, among other things. For example, we could
use PKC at the DNS level to help us reliably implement a PKI on top
of the DNS, which might be useable for things other than the DNS
itself.
> We can not be responsible for the stupidity of someone who use
> DNSSEC to secure billion dollar transactions.
They would not be using DNSSEC as their sole method of securing
the transactions. However, without DNSSEC there is a critical piece
of the puzzle that they are unable to secure by themselves, thus
leaving themselves more vulnerable. People in this situation need
help in securing this part of the picture, and so far the only method
that looks even potentially suitable is DNSSEC.
This is the cornerstone of all future business on the Internet.
It is a critical component to the security of the entire Internet,
one that might let us get one more step away from the reality painted
by KC Claffy at
<http://www.caida.org/outreach/presentations/dns0701/mgp00003.html>.
Why are you so violently opposed to progress?
--
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.