To:
Edward Lewis <lewis@tislabs.com>
Cc:
Olaf Kolkman <OKolkman@ripe.net>, dnssec@cafax.se, masseyd@isi.edu
From:
Dan Massey <masseyd@isi.edu>
Date:
Tue, 17 Apr 2001 18:22:57 -0400
Content-Disposition:
inline
Delivery-Date:
Wed Apr 18 08:08:20 2001
In-Reply-To:
<v03130304b7022a22ac37@[192.94.214.128]>; from lewis@tislabs.com on Tue, Apr 17, 2001 at 01:16:03PM -0400
Sender:
owner-dnssec@cafax.se
User-Agent:
Mutt/1.2.5i
Subject:
Re: lwresd, tsig, and caching
On Tuesday, April 17, 2001 at 01:16PM, Ed Lewis wrote: | At 10:45 AM -0400 4/17/01, Olaf Kolkman wrote: | >During the IETF I would not trust a TSIG that is shared with 2k | >users. I would prefer to use a SIG(0) with my local only configured | | I don't think this is the case here. Users access the "privileged" lwresd | process via the lightweight interface. The TSIG secret isn't queriable | through this interface. The daemon uses its privileges to access the TSIG | data which only it can read to generate the messages. | I think this starting to mix lwresd implementation specifics with the more general question of how secure resolvers should work. The lwresd is one secure resolver, but it is not likely to be the only one... some general rules/guidelines would be helpful. For my desktop machine, a TSIG to my local nameserver seems most appropriate (Ted's Option B). Note I don't think I need lwresd for this. I hope Option B becomes the standard practice for most hosts that talk to a fixed set of nameservers. Currently, the generic user who signs up with ISP X and gets a list of nameservers. In the future, this user would get a list of nameservers and TSIG secrets. This works pretty well if the set of nameservers is stable. But it doesn't work for more mobile devices. In particular, what about the IETF meeting in Olaf's example? Ted's Option A: Having all 2k laptops do their own key chaining and verfication would be a bad thing in terms of delay, caching, etc... this doesn't seem like something that should be encouraged. Ted's Option B: It doesn't seem plausible that the IETF nameservers could have individual TSIGs setup with all 2k laptops. A single TSIG that is shared with 2k laptops would be worthless in terms of security. I could rely on TSIG back to my home nameserver and ignore the IETF nameservers all together, but there are reasons for having IETF meeting nameservers in the first place... Ted's Option C: Trusting the AD bit on the IETF wireless lan doesn't sound very secure :) Ted's Option D: Same TSIG issues as option B. SIG(0) is looking pretty good here.... Dan