To:
Ed Warnicke <eaw@cisco.com>
Cc:
Brad Knowles <brad.knowles@skynet.be>, Peter Koch <pk@TechFak.Uni-Bielefeld.DE>, DNSOP WG <dnsop@cafax.se>
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Thu, 10 Jul 2003 02:11:03 +0400
In-Reply-To:
<3F0C5B65.9030109@cisco.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: draft-warnicke-network-dns-resolution-02.txt
At 2:13 PM -0400 2003/07/09, Ed Warnicke wrote: > This requirement > can be fulfilled in a number of ways, but clearly service providers > would like to comply with legal requirements in the least expensive > possible way. Note that there are many facets to the term "expensive" in this context. We can only address a small subset of them, and I believe that there are other factors which are dominant but on which we cannot have any impact. > If the mediation device vendors can > integrate against a particular use of the existing DNS system, > this should be much less expensive. Not true. At least, not entirely true. What you really need is a standard. But that standard doesn't necessarily have to have anything whatsoever to do with the DNS. Until you can convince me that there is no other possible way that this issue can be addressed (other than using the DNS), you're going to have an uphill battle. Moreover, since we're talking about a mechanism that would be pretty much purely dictated by the US gov't, I think you would find very strong opposition to incorporating anything remotely related to it into an International standard protocol, such as the DNS. > This is a good point, and one that has been brought up before. There > are ways of controlling the distribution of RR from a particular edge > network if the network owner is concerned. I also mentioned this issue > in the Security Considerations section of the draft. Sorry, I don't buy this for a moment. There are way, way too many nameservers out there that are public recursive/caching nameservers which could be abused to provide this sort of information to external parties. Moreover, not only are these nameservers configured in such a way as to allow this information to escape, they are also vulnerable to cache pollution and poisoning, which could be far, far worse in the context of anyone actually depending on the information returned by these machines for law enforcement purposes, and where real lives could literally be on the line. You're talking about relying on a "security mechanism" that is leaky enough to allow entire galaxies to pass through, and probably even small universes. You've got to have something better that can't be simply blown out of the water by a single poorly set up nameserver, or a small collection of poorly set up nameservers. Of course, probably something like 99% of all nameservers are public recursive/caching and vulnerable to cache pollution/poisoning. Certainly, my own survey of the gTLD, ccTLD, and root nameservers indicates that over 50% of all the ccTLD, gTLD, and root nameservers are open public recursive/caching nameservers, affecting almost 80% of all the TLDs in the world (see <http://www.shub-internet.org/brad/papers/dnscomparison/>). And these are supposedly the best-run nameservers in the world. What is the rest of the world like? -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++) #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.