[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: Edward Lewis <lewis@tislabs.com>
Cc: Olaf Kolkman <OKolkman@ripe.net>, dnssec@cafax.se, masseyd@isi.edu
From: Dan Massey <masseyd@isi.edu>
Date: Tue, 17 Apr 2001 18:22:57 -0400
Content-Disposition: inline
Delivery-Date: Wed Apr 18 08:08:20 2001
In-Reply-To: <v03130304b7022a22ac37@[192.94.214.128]>; from lewis@tislabs.com on Tue, Apr 17, 2001 at 01:16:03PM -0400
Sender: owner-dnssec@cafax.se
User-Agent: Mutt/1.2.5i
Subject: Re: lwresd, tsig, and caching

On Tuesday, April 17, 2001 at 01:16PM, Ed Lewis wrote:
| At 10:45 AM -0400 4/17/01, Olaf Kolkman wrote:
| >During the IETF I would not trust a TSIG that is shared with 2k
| >users. I would prefer to use a SIG(0) with my local only configured
| 
| I don't think this is the case here.  Users access the "privileged" lwresd
| process via the lightweight interface.  The TSIG secret isn't queriable
| through this interface.  The daemon uses its privileges to access the TSIG
| data which only it can read to generate the messages.
| 

I think this starting to mix lwresd implementation specifics with 
the more general question of how secure resolvers should work.
The lwresd is one secure resolver, but it is not likely to be
the only one...  some general rules/guidelines would be helpful.

For my desktop machine, a TSIG to my local nameserver seems most
appropriate (Ted's Option B).  Note I don't think I need lwresd for 
this.

I hope Option B becomes the standard practice for most hosts that talk 
to a fixed set of nameservers.  Currently, the generic user who signs 
up with ISP X and gets a list of nameservers.  In the future, this user 
would get a list of nameservers and TSIG secrets.  This works pretty
well if the set of nameservers is stable.  

But it doesn't work for more mobile devices.  In particular, what about 
the IETF meeting in Olaf's example?   

Ted's Option A:
  Having all 2k laptops do their own key chaining and verfication would 
  be a bad thing in terms of delay, caching, etc...  this doesn't seem
  like something that should be encouraged.  

Ted's Option B:
   It doesn't seem plausible that the IETF nameservers could have 
   individual TSIGs setup with all 2k laptops.  A single TSIG 
   that is shared with 2k laptops would be worthless in terms of 
   security.  I could rely on TSIG back to my home nameserver and ignore 
   the IETF nameservers all together, but there are reasons for having 
   IETF meeting nameservers in the first place...

Ted's Option C:
   Trusting the AD bit on the IETF wireless lan doesn't sound very
   secure :)

Ted's Option D:
   Same TSIG issues as option B.

SIG(0) is looking pretty good here....

Dan

Home | Date list | Subject list