> From: =?ISO-8859-1?Q?Colm_MacC=E1rthaigh?= <c...@stdlib.net> > > On what do you base your claims about the fatal costs of DNSSEC > > validation? > > I wrote that the costs are high, not fatal.
I'm sure I'm not the only person who read your words as a claim that validation should not be enabled because of those high costs. > http://dns.comcast.net/ > serves as a reasonable, though not complete, public example list of > issues. Everything has issues; what is your point? Have you turned on DNSSEC where you can? If not, why not? > > True, but the right question is not "Does DNSSEC add vulnerabilities?" > > but "Overall, is DNS more or less secure with DNSSEC?" or "Among all > > of the things I can do, what will improve the security of my users and > > the Internet in general?" > > This thread concerns the vulnerabilities uncovered in the fragment > attacks. One of those vulnerabilities is that domains can be rendered > unresolvable; even when DNSSEC is enabled. That seems like something > to take seriously. That implication that I have suggested that the denial of service vulnerabilities associated DNSSEC should not be taken seriously is false. Again, the question is not whether the availablity security issues with DNSSEC should be taken seriously, but whether DNSSEC is better than the alternative of no DNSSEC and perhaps relying on port randomization. Port randomization is an extremely thin reed for security, because there are so few port number bits. Random ports are like random TCP ISNs, better than easily predicable numbers but almost but not quite irrelevant to security. Anyone selling random ports in place of or as important as in-band authentication (e.g. DNSSEC) is doing harm and has suspect motives or expertise. > > I suspect Kaminsky got the credit because he had been contributing to > > the field for years. But who cares who got there first? > > Evidently Paul Vixie does. That's what I was responding to. I assume you are familiar with the informal rules for such credit. It would be wrong for Paul Vixie to credit Haya Shulman with that which was long ago credited to Kaspersky. Paul Vixie made clear his willingness to credit Haya Shulman with a pointer to her paper after reading it, as well as his reluctance to pay to read it. From her "on my website" (paraphrased) words, I assumed it is easily found or that she would give us a free URL. After looking and waiting, as far as I can neither is the case. Also after looking, I guessed that Springer might throw a fit if she self-published. She could have mentioned that difficulty. There is nothing wrong with her getting paid for that paper, although I won't pay to read it. I do find something unseemly in her ducking and dodging the the question of the relative importances and effectiveness of DNSSEC and port randomization. > > Let's agree that ports ought to be as random as TCP ISNs, improve port > > randomness where each of us can, and stop implying that anyone thinks > > or says otherwise. > > O.k., but what about fragmentation point randomisation, or randomized > DNS payload padding? What about them? I think I saw agreement somewhere about reducing non-DNSSEC MTUs to help the non-DNSSEC fragmentation issue, and so I assume those changes will be made. I don't have an opinion about DNS payload padding, and so won't be submitting any relevant bug reports. Are you an NSD, Unbound, or BIND committer and if so, have you proposed changes? Have you submitted relevant bug reports so that those implementations can be changed as you think appropriate? Vernon Schryver v...@rhyolite.com _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs