On Sun, 17 Aug 2008, Ted Lemon wrote:
> On Aug 17, 2008, at 4:12 PM, Dean Anderson wrote:
> > Changing DNS protocol is considered by many to be expensive and risky.
> > Are you saying its not expensive or risky? That seems to be a far
> > more
> > bold assertion.
>
> Actually, you and Ohta-san seem to be taking that position. That's
> not "many." I just deployed DNSSEC. My servers are ticking over
> happily, and I haven't had any complaints from users. So I guess I
> don't think it's all that risky, no. It may be that I'm wrong, but
> you haven't said anything surprising yet, so I'm still waiting for the
> revelation that will convince me that your fears are justified.
I'm always amazed when advocates of something come out and say "I did
it, and I'm still here", and assume that means that it can be done
worldwide for free and that it also means there are no issues with
scaling their effort, and that it means there are no downsides that
might come to light after a lot of sites do what they did. SPF script
DOS attacks come to mind as a good example.
But if only myself and Ohta-san think changing DNS protocol is expensive
and risky, then perhaps we should change the protocol even more and do
it more often.
> > However, misplaced trust attacks can only be avoided by preventing the
> > sending of trusted information to untrusted sites. Solve this problem
> > correctly (which is entirely doable) and none of these attacks will be
> > effective at obtaining trusted information.
>
> Forgive me for pointing this out, but about three exchanges ago you
> said that solving this problem was provably impossible. Have you
> changed your mind, or am I missing something?
You are indeed missing something. Constructing a system free of covert
channels is not the same as limiting the distribution of trusted
information. To put it another way, its fairly easy to limit the "To:"
list on sending email, but its much harder to keep spam out of your
mailbox. One problem is doable. The other isn't.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
