To:
dnsop@cafax.se
From:
Rob Austein <sra+dnsop@hactrn.net>
Date:
Tue, 15 Jul 2003 17:45:36 +0200
Sender:
owner-dnsop@cafax.se
User-Agent:
Wanderlust/2.10.0 (Venus) Emacs/21.2 Mule/5.0 (SAKAKI)
Subject:
My slides from Wien DNSOP session
Since there's been a bit of mailing list discussion based on my presentation yesteday, here are the slides. %page Step back a moment Discovery is one aspect of autoconfiguration What data does a DNS-consuming node need when it boots? All DNS consumers need addresses of some name servers Usually recursive name servers But maybe this is an iterative resolver Other things that some DNS consumers might want What search path should I use? What's my own name? How do I publish my name->address data? How do I publish my address->name data? How do I verify signed DNS data? "DNS Discovery" == finding recursive name servers %page Security model Issues differ greatly depending on: Which data one is trying to autoconfigure Degree to which one trusts the local network Recursive name server addresses ("DNS discovery") Issues fairly well understood, we think Consumer is at name server's mercy, unless consumer checks sigs If consumer does check sigs, it needs: DNSSEC policy DNSSEC public key(s) A clock (may require (S)NTP, more key(s), ...) Search path: Danger, Will Robinson Controls what questions a node asks "What's my name?" See "search path", above Default kerberos realm too Other effects unknown and system dependent, but probably scary %page Security model (2) "How do I publish my name->address data?" Relatively well understood (DNS UPDATE) Requires more policy and keying material Autoconfig adds no obvious new vulnerabilities "How do I publish my address->name data?" Superficially similar to name->address, but Very weak trust model for address ownership "How do I verify signed DNS data?" Fairly well understood Issues already discussed, above %page #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.