To:
Robert Elz <kre@munnari.OZ.AU>
Cc:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, Jun-ichiro itojun Hagino <itojun@iijlab.net>, Pekka Savola <pekkas@netcore.fi>, dnsop@cafax.se
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Fri, 22 Nov 2002 09:56:45 +0100
In-Reply-To:
<12624.1037937786@munnari.OZ.AU>
Reply-By:
Wed, 1 Jan 1984 12:34:56 +0100
Sender:
owner-dnsop@cafax.se
Subject:
Re: comments on dnsop-ipv6-dns-issues-00
At 3:03 PM +1100 2002/11/22, Robert Elz wrote:
> | Your assumption that source address of a incoming packet is reachable is
> | improper.
>
> The source is more likely reachable than some DNS server at some unknown
> location - at least we know the source address is actually alive
>and connected
> at the time.
Do we have cryptographic evidence for this assumption? Or are we
just assuming that since we received a packet from a particular IP
address that this claimed source must actually be alive?
I'm not saying that this is not a valid assumption. I'm saying
that we should ask ourselves what happens when it is not valid.
> Personally, I have lost essentially all faith in the usefulness of addr->name
> translations at all, and wouldn't mind simply saying "cannot be done" (in
> general of course, it might sometimes work, just don't depend upon it).
Yeah, name-based security is pretty meaningless. Even if you
resolve things backwards, then forwards then backwards again (or
forwards, then backwards, then forwards again), and compare the final
results with what you started off with, it's a guess at best. Only
with a full and unbroken cryptographic chain of evidence going up all
the way to the roots, can you have some confidence that the reverse
is actually what it claims to be.
Still, I think we need to provide some sort of reverse mechanism.
--
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.