To:
Pekka Savola <pekkas@netcore.fi>
cc:
Robert Elz <kre@munnari.OZ.AU>, Kenneth Porter <shiva@sewingwitch.com>, <dnsop@cafax.se>
From:
Edward Warnicke <eaw@cisco.com>
Date:
Sat, 1 Mar 2003 12:59:01 -0500 (EST)
In-Reply-To:
<Pine.LNX.4.44.0303011045440.27841-100000@netcore.fi>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Request for review of DNS related draft
Would the following paragraph in Security Considerations acceptably cover this: Any revelation of information to the public internet about the internal structure of your network may make it easier for nefarious persons to mount diverse attacks upon your network. Consequently care should be exercised in deciding which ( if any ) of the DNS resource records described in this draft should be made visible to the public internet. Does this cover your security related concerns? Ed On Sat, 1 Mar 2003, Pekka Savola wrote: > On Fri, 28 Feb 2003, Edward Warnicke wrote: > > Could you be more specific about what security considerations > > you see? > > Mainly revealing information to anyone that isn't accessible to anyone > except those in the local network at the moment. Dangerous. > > > In terms of operational resistance to use, I'd expect it to be about on > > par with the use of rp and hinfo records. Organizations which find > > utility in having those records populated use them, organizations that > > don't see value don't use them. I've been in organizations which break > > both ways on hinfo and rp records. If an organization finds value in > > deploying this scheme, they will. It's a question of applications. > > HINFO and RP are *very* rarely used. They're just not useful (even > dangerous) in the global Internet use. On th other hand, in a very > restricted network with local domain-names, these (and some others, also) > may be used. > > > On Fri, 28 Feb 2003, Pekka Savola wrote: > > > > > On Fri, 28 Feb 2003, Robert Elz wrote: > > > [...] > > > > Why would my nodes care what the network that contains some random IP > > > > address might happen to be (or why would I ever care more than the > > > > routing tables will tell me) ? > > > > > > Being able to do something like this would have quite a few security > > > considerations, besides -- in addition to operational reluctance to take > > > it to use. > > > > > > Finding your *own* info could be useful, but you really need most of that > > > information before you can make the DNS query.. > > > > > > -- > > > Pekka Savola "You each name yourselves king, yet the > > > Netcore Oy kingdom bleeds." > > > Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings > > > > > > > > > > #---------------------------------------------------------------------- > > # To unsubscribe, send a message to <dnsop-request@cafax.se>. > > > > -- > Pekka Savola "You each name yourselves king, yet the > Netcore Oy kingdom bleeds." > Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings > > #---------------------------------------------------------------------- > # To unsubscribe, send a message to <dnsop-request@cafax.se>. > #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.