Re: draft-warnicke-network-dns-resolution-02.txt

[Brad Knowles <brad.knowles@skynet.be>]

At 2:13 PM -0400 2003/07/09, Ed Warnicke wrote:

>                                                        This requirement
>  can be fulfilled in a number of ways, but clearly service providers
>  would like to comply with legal requirements in the least expensive
>  possible way.

	Note that there are many facets to the term "expensive" in this 
context.  We can only address a small subset of them, and I believe 
that there are other factors which are dominant but on which we 
cannot have any impact.

>                             If the mediation device vendors can
>  integrate against a particular use of the existing DNS system,
>  this should be much less expensive.

	Not true.  At least, not entirely true.

	What you really need is a standard.  But that standard doesn't 
necessarily have to have anything whatsoever to do with the DNS. 
Until you can convince me that there is no other possible way that 
this issue can be addressed (other than using the DNS), you're going 
to have an uphill battle.

	Moreover, since we're talking about a mechanism that would be 
pretty much purely dictated by the US gov't, I think you would find 
very strong opposition to incorporating anything remotely related to 
it into an International standard protocol, such as the DNS.

>  This is a good point, and one that has been brought up before.  There
>  are ways of controlling the distribution of RR from a particular edge
>  network if the network owner is concerned.  I also mentioned this issue
>  in the Security Considerations section of the draft.

	Sorry, I don't buy this for a moment.  There are way, way too 
many nameservers out there that are public recursive/caching 
nameservers which could be abused to provide this sort of information 
to external parties.

	Moreover, not only are these nameservers configured in such a way 
as to allow this information to escape, they are also vulnerable to 
cache pollution and poisoning, which could be far, far worse in the 
context of anyone actually depending on the information returned by 
these machines for law enforcement purposes, and where real lives 
could literally be on the line.


	You're talking about relying on a "security mechanism" that is 
leaky enough to allow entire galaxies to pass through, and probably 
even small universes.

	You've got to have something better that can't be simply blown 
out of the water by a single poorly set up nameserver, or a small 
collection of poorly set up nameservers.

	Of course, probably something like 99% of all nameservers are 
public recursive/caching and vulnerable to cache pollution/poisoning. 
Certainly, my own survey of the gTLD, ccTLD, and root nameservers 
indicates that over 50% of all the ccTLD, gTLD, and root nameservers 
are open public recursive/caching nameservers, affecting almost 80% 
of all the TLDs in the world (see 
<http://www.shub-internet.org/brad/papers/dnscomparison/>).  And 
these are supposedly the best-run nameservers in the world.  What is 
the rest of the world like?

-- 
Brad Knowles, <brad.knowles@skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.