> On Aug 15, 2008, at 8:10 AM, Paul Wouters wrote:
> > Whether
> > I get a fake CNN.com page is much less important to me then whether
> > my nfs
> > or mail server can be access by something
>
> I'm not sure how relevant this is to the discussion, but I'll answer
> the question anyway. I do
On Aug 15, 2008, at 8:10 AM, Paul Wouters wrote:
Whether
I get a fake CNN.com page is much less important to me then whether
my nfs
or mail server can be access by something
I'm not sure how relevant this is to the discussion, but I'll answer
the question anyway. I don't use NFS because (
Okay, so this is a key that's arguably more important than your KSK, because
it's used to protect authentication information and, depending on how you do
business, financial information belonging to your customers. If it's safe
to roll this key every two years, it's safe to roll your KSK no
> I presented the real-world statistical data to support my claim
> that DNSSEC requires to much work. That is, it is hardly deployed
> because it requires to much work.
The reason it's hardly deployed is that people don't see the point. COM
and the root zone aren't signed, so there's no perceive
On Aug 13, 2008, at 10:28 PM, Masataka Ohta wrote:
I presented the real-world statistical data to support my claim
that DNSSEC requires to much work. That is, it is hardly deployed
because it requires to much work.
I must have missed that message.
Does your personal experience have any statis
Ted Lemon wrote:
> Ohta-san, you made the claim that managing DNSSEC is so much more work
> than maintaining regular DNSSEC that the cost of doing so outweighed
> the benefit of doing so - the added security. You provided no
> statistics to back up that claim,
I presented the real-world s
On Aug 13, 2008, at 12:19 PM, Ralf Weber wrote:
Well you have to change keys with cryptography from time if you want
to be save. RFC2541 says once a year, RFC4641 doesn't give any advise,
but e.g RIPE which referring to this is doing a rollover every 6
months.
A 2048-bit key will take a reall
Moin!
On Aug 13, 2008, at 20:06 , Ted Lemon wrote:
On Aug 13, 2008, at 10:21 AM, Ralf Weber wrote:
Hmm, assuming that we both did use the same name server software my
experiences are different. Compared to regular DNS setting up and
more
importantly maintaining DNSSEC is much more work than
> On Wed, 13 Aug 2008 19:21:44 +0200, Ralf Weber <[EMAIL PROTECTED]> said:
RW> Hmm, assuming that we both did use the same name server software my
RW> experiences are different. Compared to regular DNS setting up and more
RW> importantly maintaining DNSSEC is much more work than normal DNS stu
On Aug 13, 2008, at 10:21 AM, Ralf Weber wrote:
Hmm, assuming that we both did use the same name server software my
experiences are different. Compared to regular DNS setting up and more
importantly maintaining DNSSEC is much more work than normal DNS stuff
(zone resigning, key rollover) .
You'
Moin!
On Aug 13, 2008, at 18:50 , Ted Lemon wrote:
On Aug 13, 2008, at 4:04 AM, Masataka Ohta wrote:
Maybe, Ted could provide some virtual-world data realistic enough to
deny the real-world statistical data such as:
djb> Last week's surveys by the DNSSEC developers ("SecSpider")
have found
On Aug 13, 2008, at 9:50 AM, Ted Lemon wrote:
Ohta-san, you made the claim that managing DNSSEC is so much more work
than maintaining regular DNSSEC
Er, "regular DNS," not "regular DNSSEC."
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/m
On Aug 13, 2008, at 4:04 AM, Masataka Ohta wrote:
Maybe, Ted could provide some virtual-world data realistic enough to
deny the real-world statistical data such as:
djb> Last week's surveys by the DNSSEC developers ("SecSpider") have
found a
djb> grand total of 99 signed dot-com names out of t
On Wed, Aug 13, 2008 at 08:04:08PM +0900, Masataka Ohta wrote:
> > relationships; and because we know that humans make a lot of errors;
>
> It's interesting that you just mention erros and ignore social
> implementation details nor intentional attacks.
There are two elements to what you are clai
Andrew Sullivan wrote:
>>Social implementations of DNSSEC may be (or, considering its complexity,
>>will always be) vulnerable to tampering from any person.
> This seems like a strong claim.
Not at all.
Instead, that PKI, including DNSSEC, were cryptographically secure
is a unfounded strong cla
On 12 Aug 2008, at 14:50, Dean Anderson wrote:
On Tue, 12 Aug 2008, Mark Andrews wrote:
TCP, port randomisation, 0x20, EDNS PING etc. all leave gapping holes
in the security model which are being exploited today.
I don't know of any TCP exploits today.
Imagine being able to intercept arbit
On Tue, 12 Aug 2008, Dean Anderson wrote:
On Mon, 11 Aug 2008, Paul Wouters wrote:
[Paul Wouters is a frequent NANOG poster.]
a handful of postings in years is frequent?
DNSSEC has been deployed on large scale by some TLD's and RIR's already.
It is very much operational.
Not very much--99
On Aug 12, 2008, at 11:40 AM, Dean Anderson wrote:
DNSSEC has been deployed on large scale by some TLD's and RIR's
already.
It is very much operational.
Not very much--99 domains out of 70 million in .com.
As has been pointed out, .COM is not signed. The fact that there are
99 zones signe
On Tue, 12 Aug 2008, Mark Andrews wrote:
> TCP, port randomisation, 0x20, EDNS PING etc. all leave gapping holes
> in the security model which are being exploited today.
I don't know of any TCP exploits today. Though TCP is not secure against
anyone in the path of the packets, its pretty invulnera
On Mon, 11 Aug 2008, Paul Wouters wrote:
[Paul Wouters is a frequent NANOG poster.]
> DNSSEC has been deployed on large scale by some TLD's and RIR's already.
> It is very much operational.
Not very much--99 domains out of 70 million in .com.
Your argument would be stronger if you identified wh
On Aug 12, 2008, at 6:56 PM, Dean Anderson wrote:
This message seems to answer many of the questions over the last few
days.
.SE have 922 domains with DS records. The lack of .COM domains is
probably because .COM is not signed. It is much easier to put a trust
anchor in your resolver for
This message seems to answer many of the questions over the last few
days.
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
-- Forwarded message --
Date: 10 Aug 2008 00:28:22 -
From: D.
On Aug 11, 2008, at 11:00 PM, Masataka Ohta wrote:
If you are talking about security relative to the amount of
operational effort (that is, money!!!), PODS is definitly
more secure than DNSSEC.
I think if you were to try to explain this by presenting real-world
statistical data to support you
[no hat]
On Tue, Aug 12, 2008 at 12:00:09PM +0900, Masataka Ohta wrote:
> Social implementations of DNSSEC may be (or, considering its complexity,
> will always be) vulnerable to tampering from any person.
This seems like a strong claim. Are you really just claiming that,
because humans are inv
Ted Lemon wrote:
> No, Ohta-san. It _is_ more secure. Security is relative, not
> absolute.
Are you really talking about relative security?
If you are talking about security relative to the amount of
operational effort (that is, money!!!), PODS is definitly
more secure than DNSSEC.
On Aug 11, 2008, at 8:36 PM, Masataka Ohta wrote:
How can you explain the evidence that many people here think DNSSEC
more secure than PODS merely because it is called DNSSEC?
Are they less-than-average users?
No, Ohta-san. It _is_ more secure. Security is relative, not
absolute. You c
> Mark Andrews wrote:
>
> >>DNSSEC is, socially, more dangerous than PODS, because DNSSEC gives
> >>users false sense of security.
>
> > You already have to trust your parents to publish your
> > delegating NS RRset.
>
> So, technically, DNSSEC is no worse but no better than PODS.
No.
Ted Lemon wrote:
>> DNSSEC is, socially, more dangerous than PODS, because DNSSEC gives
>> users false sense of security.
> So what matters is not what sense of security the user has, but
> what actual security the user has.
The false sense of security makes people unconditionary accept DNS
re
On Aug 11, 2008, at 6:34 PM, Masataka Ohta wrote:
DNSSEC is, socially, more dangerous than PODS, because DNSSEC gives
users false sense of security.
The average user has a false sense of security completely independent
of what the underlying protocol is. So what matters is not what
sense
Mark Andrews wrote:
>>DNSSEC is, socially, more dangerous than PODS, because DNSSEC gives
>>users false sense of security.
> You already have to trust your parents to publish your
> delegating NS RRset.
So, technically, DNSSEC is no worse but no better than PODS.
>>That is, WG discu
> > To break DNSSEC, a phishing site pretending as your parent CA and
> > requesting you enter your private key is often enough.
>
> Which like most things to do with security is a matter of
> education.
To which I should have added. With DNSSEC you *never* need
to d
> Dean Anderson wrote:
>
> >>1) What is more broken with DNSSEC then on DNS?
>
> DNSSEC is, socially, more dangerous than PODS, because DNSSEC gives
> users false sense of security.
>
> > The question really should be 'What is LESS broken with DNSSEC than with
> > DNS?' Equally broken is bad, t
Dean Anderson wrote:
>>1) What is more broken with DNSSEC then on DNS?
DNSSEC is, socially, more dangerous than PODS, because DNSSEC gives
users false sense of security.
> The question really should be 'What is LESS broken with DNSSEC than with
> DNS?' Equally broken is bad, too. 'More broken'
DNSSEC, a cryptographic version of DNS, has been in development since
1993 but is still not operational.
It seems that Mr. Bernstein also suffers from the "America is the not the
world" syndrome.
???
DNSSEC has been deployed on large scale by some TLD's and RIR's already.
It is very much ope
On Sat, 9 Aug 2008, Paul Wouters wrote:
>
> > DNSSEC, a cryptographic version of DNS, has been in development since
> > 1993 but is still not operational.
>
> It seems that Mr. Bernstein also suffers from the "America is the not the
> world" syndrome.
???
> > Bernstein said that DNSSEC offers
the fact that masataka's proposal seemed qualitatively better to me eleven
years ago is moot. the reason dnssec isn't deployed yet has nothing to do
with any such qualitative differences. we are where we are, and what we've
got to do now is deploy what we've got now. the dnssec spec at present m
Tony Finch wrote:
On Sun, 10 Aug 2008, Ben Laurie wrote:
Tony Finch wrote:
On Sun, 10 Aug 2008, Ted Lemon wrote:
Paul's comment (the first of the three articles you quoted) implies
that secure NXDOMAIN is not a feature of Ohta-san's proposal. That
seems like a bit of a problem, because fake d
On Sun, 10 Aug 2008, Ben Laurie wrote:
> Tony Finch wrote:
> > On Sun, 10 Aug 2008, Ted Lemon wrote:
> > >
> > > Paul's comment (the first of the three articles you quoted) implies
> > > that secure NXDOMAIN is not a feature of Ohta-san's proposal. That
> > > seems like a bit of a problem, because
Tony Finch wrote:
On Sun, 10 Aug 2008, Ted Lemon wrote:
Paul's comment (the first of the three articles you quoted) implies that
secure NXDOMAIN is not a feature of Ohta-san's proposal. That seems like a
bit of a problem, because fake domains are definitely a useful phishing tool.
As far as
On Sun, 10 Aug 2008, Ted Lemon wrote:
>
> Paul's comment (the first of the three articles you quoted) implies that
> secure NXDOMAIN is not a feature of Ohta-san's proposal. That seems like a
> bit of a problem, because fake domains are definitely a useful phishing tool.
As far as I can tell fro
On Aug 10, 2008, at 5:51 AM, Andras Salamon wrote:
An alternative was proposed by Masataka Ohta around 1995. It did not
progress, but maybe it is time to trawl the archives and revisit it?
Paul's comment (the first of the three articles you quoted) implies
that secure NXDOMAIN is not a featu
On Sat, Aug 09, 2008 at 04:33:55PM -0400, Paul Wouters wrote:
> In general, for all those people who claim DNSSEC is not the solution, I
> have a few questions
>
> 1) What is more broken with DNSSEC then on DNS?
> 2) If DNSSEC is flawed, where is a better alternative?
An alternative was proposed
DNSSEC, a cryptographic version of DNS, has been in development since
1993 but is still not operational.
It seems that Mr. Bernstein also suffers from the "America is the not the
world" syndrome.
Bernstein said that DNSSEC offers "a surprisingly low level of security"
while causing severe pr
FYI: It would be nice if someone could repost this the namedroppers.
This might inform some of the discussion going on there. Both DJB and I
have problems posting to namedroppers for basically the same
reasons---opposing the BIND cartel. However, getting this information
distributed seems to be i
FYI, Two people (myself and Dr. Bernstein) who have often cited the
insecurity of DNS, and this attack in particular, are currently or have
been previously blocked from namedroppers, and so can't discuss the
proper solutions to these problems. I have been following the
namedroppers discussion with
45 matches
Mail list logo
