- Original Message -
From: "Nicholas Weaver"
To: "George Barwood"
Cc: "Nicholas Weaver" ;
Sent: Saturday, March 20, 2010 2:26 PM
Subject: Re: [DNSOP] Should root-servers.net be signed
On Mar 20, 2010, at 1:50 AM, George Barwood wrote:
>>> Ens
On Mar 20, 2010, at 1:50 AM, George Barwood wrote:
>> Enshrining "tho shalt never fragment" into the Internet Architecture is
>> dangerous, and will cause far MORE problems. Having something which
>> >regularly exercises fragmentation as critical to the infrastructure and we
>> wouldn't have th
- Original Message -
From: "Nicholas Weaver"
To: "George Barwood"
Cc: "Nicholas Weaver" ;
Sent: Friday, March 19, 2010 7:48 PM
Subject: Re: [DNSOP] Should root-servers.net be signed
>On Mar 19, 2010, at 12:01 PM, George Barwood wrote:
>>
>
On 3/19/10 8:32 AM, George Barwood wrote:
There are advantages besides messages being lost.
It also prevents spoofing of fragments, and limits amplification attacks.
It doesn't limit amplification attacks by much if at all
It cuts the response from 4K to 1.5K, and I think frag
> From: Nicholas Weaver
> Date: Fri, 19 Mar 2010 12:48:24 -0700
> ...
> Enshrining "tho shalt never fragment" into the Internet Architecture is
> dangerous, and will cause far MORE problems. Having something which
> regularly exercises fragmentation as critical to the infrastructure and
> we would
On Mar 19, 2010, at 12:01 PM, George Barwood wrote:
>
> Anyway, do we yet agree that 1450 is the best default for max-udp-size, and
> that higher values are dangerous?\
No: I agree it is the proper default for the TLD authorities and roots, but
for everything else, the higher value should be
> Hmm, you're right, IF the A records are accepted in the additional section,
> true, A records could be added to the RRSET for some of the names.
> But frankly speaking, thats "ADDITIONAL", and shouldn't really be accepted at
> all, and if the resolver DOES cache it, I'd personally call it a b
On Mar 19, 2010, at 9:41 AM, Ted Lemon wrote:
> On Mar 19, 2010, at 12:20 PM, Nicholas Weaver wrote:
>> HAHAHA. Not bloodly likely IMO: a lot of the "open resolvers" are broken
>> end-user NATS and similar. Those will only be updated sometime around when
>> hell freezes over.
>
> Stuff gets
On Mar 19, 2010, at 12:20 PM, Nicholas Weaver wrote:
> HAHAHA. Not bloodly likely IMO: a lot of the "open resolvers" are broken
> end-user NATS and similar. Those will only be updated sometime around when
> hell freezes over.
Stuff gets updated when its brokenness becomes obvious to the person
On Mar 19, 2010, at 9:10 AM, George Barwood wrote:
>
>>> It cuts the response from 4K to 1.5K, and I think fragmentation that
>>> contributes
>>> to these attacks being damaging.
>
>> All I need to do is find a set of open resolvers which don't have such
>> limits to do juuust fine.
>
> Ev
>> It cuts the response from 4K to 1.5K, and I think fragmentation that
>> contributes
>> to these attacks being damaging.
> All I need to do is find a set of open resolvers which don't have such limits
> to do juuust fine.
Eventually the open resolvers will get updated, and thus these attac
On Mar 19, 2010, at 8:32 AM, George Barwood wrote:
>
>>> There are advantages besides messages being lost.
>>> It also prevents spoofing of fragments, and limits amplification attacks.
>
>> It doesn't limit amplification attacks by much if at all
>
> It cuts the response from 4K to 1.5K, and I
>> There are advantages besides messages being lost.
>> It also prevents spoofing of fragments, and limits amplification attacks.
>It doesn't limit amplification attacks by much if at all
It cuts the response from 4K to 1.5K, and I think fragmentation that contributes
to these attacks being dama
On Mar 19, 2010, at 6:09 AM, George Barwood wrote:
>
> - Original Message -
> From: "Nicholas Weaver"
> To: "George Barwood"
> Cc: "Nicholas Weaver" ; "Matt Larson"
> ;
> Sent: Friday, March 19, 2010 12:33 PM
> Subjec
- Original Message -
From: "Nicholas Weaver"
To: "George Barwood"
Cc: "Nicholas Weaver" ; "Matt Larson"
;
Sent: Friday, March 19, 2010 12:33 PM
Subject: Re: [DNSOP] Should root-servers.net be signed
>On Mar 19, 2010, at 12:21 AM, George Ba
On Mar 19, 2010, at 12:21 AM, George Barwood wrote:
> I suggest the default value in BIND for max-udp-size should be 1450.
> This appears to be best practice.
> Since few zones are currently signed, it's not too late to make this change.
> Later on it may be more difficult.
Actually, I'd say thi
- Original Message -
From: "Nicholas Weaver"
To: "Matt Larson"
Cc: ; "Nicholas Weaver"
Sent: Tuesday, March 09, 2010 3:31 PM
Subject: Re: [DNSOP] Should root-servers.net be signed
>
> On Mar 9, 2010, at 7:17 AM, Matt Larson wrote:
>
>&
In message <20100309145352.gb5...@dul1mcmlarson-l1-2.local>, Matt Larson writes
:
> On Tue, 09 Mar 2010, Wouter Wijngaards wrote:
> > Also +1 for the consensus analysis about signing: not on the path of
> > trust but still somewhat useful to do, but not add another TA for it.
>
> I have not seen
On Tue, 09 Mar 2010, Tony Finch wrote:
> On Tue, 9 Mar 2010, Matt Larson wrote:
> >
> > Even after .net is signed (in Q4 2010)
>
> I note that Verisign's press releases say "by Q1 2011" which I find rather
> hard to interpret. Why don't they say "by the start of 2011"? Do they mean
> "in Q1 2011"?
On 2010-03-09, at 11:59, Tony Finch wrote:
> On Tue, 9 Mar 2010, Matt Larson wrote:
>>
>> Even after .net is signed (in Q4 2010)
>
> I note that Verisign's press releases say "by Q1 2011" which I find rather
> hard to interpret. Why don't they say "by the start of 2011"? Do they mean
> "in Q1 2
On Tue, 9 Mar 2010, Matt Larson wrote:
>
> Even after .net is signed (in Q4 2010)
I note that Verisign's press releases say "by Q1 2011" which I find rather
hard to interpret. Why don't they say "by the start of 2011"? Do they mean
"in Q1 2011"?
People on Twitter have been saying today that Veris
On Tue, 09 Mar 2010, Wouter Wijngaards wrote:
> Also +1 for the consensus analysis about signing: not on the path of
> trust but still somewhat useful to do, but not add another TA for it.
I have not seen any consensus emerge one way or another regarding
signing root-servers.net.
Even after .net
On Mar 9, 2010, at 7:17 AM, Matt Larson wrote:
> On Mon, 08 Mar 2010, George Barwood wrote:
>> It's interesting to note that currently
>>
>> dig any . @a.root-servers.net +dnssec
>>
>> truncates, leading to TCP fallback
>>
>> but
>>
>> dig any . @l.root-servers.net +dnssec
>>
>> does not tru
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Tony, Joe,
On 03/08/2010 08:35 PM, Tony Finch and Joe Abley alternated:
- signing ROOT-SERVERS.NET would result in potentially-harmful large
responses with no increase in security
>>>
>>> Can't you deal with this by omitting the root-serv
On Mon, 08 Mar 2010, George Barwood wrote:
> It's interesting to note that currently
>
> dig any . @a.root-servers.net +dnssec
>
> truncates, leading to TCP fallback
>
> but
>
> dig any . @l.root-servers.net +dnssec
>
> does not truncate ( response size is 1906 bytes ).
a.root-servers.net's s
In message , Joe Abley writes
:
> On 2010-03-08, at 17:08, George Barwood wrote:
>
> > It's interesting to note that currently
> >
> > dig any . @a.root-servers.net +dnssec
> >
> > truncates, leading to TCP fallback
> >
> > but
> >
> > dig any . @l.root-servers.net +dnssec
>
> > does not tru
On 2010-03-08, at 17:08, George Barwood wrote:
> It's interesting to note that currently
>
> dig any . @a.root-servers.net +dnssec
>
> truncates, leading to TCP fallback
>
> but
>
> dig any . @l.root-servers.net +dnssec
>
> does not truncate ( response size is 1906 bytes ).
A runs BIND9, as
Nicholas Weaver wrote:
> DNSSEC is ONLY useful for things like TXT and CERT records fetched
> by a DNSSEC aware cryptographic application, and that would
> require a valid signature chain from the root(s) of trust
> (either preconfigured or on a path from the signed root) validated
> on the client
In message <43fc3f50679f458a869f99d72ecd1...@localhost>, "George Barwood" write
s:
>
>
>
> - Original Message -
> From: "Joe Abley"
> To: "Tony Finch"
> Cc: "George Barwood" ;
> Sent: Monday, March 08,
- Original Message -
From: "Joe Abley"
To: "Tony Finch"
Cc: "George Barwood" ;
Sent: Monday, March 08, 2010 4:22 PM
Subject: Re: [DNSOP] Should root-servers.net be signed
>On 2010-03-08, at 11:18, Tony Finch wrote:
>> On Mon, 8 Mar 2010,
In message <06d5b206-5ec8-4e2a-9f5e-f6a4a6211...@icsi.berkeley.edu>, Nicholas W
eaver writes:
>
> On Mar 8, 2010, at 7:27 AM, Paul Wouters wrote:
>
> > On Mon, 8 Mar 2010, Joe Abley wrote:
> >
> >> Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I thi
> nk be paraphrased as
On Mon, 8 Mar 2010, Joe Abley wrote:
> On 2010-03-08, at 11:18, Tony Finch wrote:
> > On Mon, 8 Mar 2010, Joe Abley wrote:
> >>
> >
> >> - signing ROOT-SERVERS.NET would result in potentially-harmful large
> >> responses with no increase in security
> >
> > Can't you deal with this by omitting the
On Mar 8, 2010, at 9:31 AM, Thierry Moreau wrote:
> Joe Abley wrote:
>> On 2010-03-08, at 10:27, Paul Wouters wrote:
>>> On Mon, 8 Mar 2010, Joe Abley wrote:
>>>
Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I
think be paraphrased as follows:
- howeve
Joe Abley wrote:
On 2010-03-08, at 10:27, Paul Wouters wrote:
On Mon, 8 Mar 2010, Joe Abley wrote:
Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think be
paraphrased as follows:
- however, since the root zone is signed, validators can already tell when they
are tal
On 2010-03-08, at 11:18, Tony Finch wrote:
> On Mon, 8 Mar 2010, Joe Abley wrote:
>>
>
>> - signing ROOT-SERVERS.NET would result in potentially-harmful large
>> responses with no increase in security
>
> Can't you deal with this by omitting the root-servers.net RRSIGs from the
> additional se
On Mar 8, 2010, at 8:00 AM, Paul Wouters wrote:
> On Mon, 8 Mar 2010, Nicholas Weaver wrote:
>
>> If your ISP is acting as a MitM on DNS, its acting as a MitM on everything,
>> so DNSSEC buys you f-all if you are using it for A records, because any app
>> using that A record either doesn't tru
On 2010-03-08, at 10:27, Paul Wouters wrote:
> On Mon, 8 Mar 2010, Joe Abley wrote:
>
>> Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think
>> be paraphrased as follows:
>>
>> - if we sign ROOT-SERVERS.NET it will trigger large responses (the RRSIGs
>> over the A and
On Mon, 8 Mar 2010, Joe Abley wrote:
>
> - signing ROOT-SERVERS.NET would result in potentially-harmful large
> responses with no increase in security
Can't you deal with this by omitting the root-servers.net RRSIGs from the
additional section of responses to queries to the root?
Tony.
--
f.anth
On Mon, 8 Mar 2010, Nicholas Weaver wrote:
If your ISP is acting as a MitM on DNS, its acting as a MitM on everything, so
DNSSEC buys you f-all if you are using it for A records, because any app using
that A record either doesn't trust the net or is trivially p0owned by the ISP.
If I detect
On Mar 8, 2010, at 7:27 AM, Paul Wouters wrote:
> On Mon, 8 Mar 2010, Joe Abley wrote:
>
>> Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think
>> be paraphrased as follows:
>>
>> - if we sign ROOT-SERVERS.NET it will trigger large responses (the RRSIGs
>> over the A
At 9:38 AM -0500 3/8/10, Joe Abley wrote:
>I also find Jim's point regarding NET rather compelling. If the NET zone is
>not signed, then validating responses from a signed ROOT-SERVERS.NET zone
>would require yet another trust anchor to be manually-configured.
...and to manually be removed in th
On Mon, 8 Mar 2010, Joe Abley wrote:
Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think be
paraphrased as follows:
- if we sign ROOT-SERVERS.NET it will trigger large responses (the RRSIGs over
the A and RRSets) which is a potential disadvantage
Is it? Is DNSS
On 2010-03-07, at 03:06, George Barwood wrote:
> I have been wondering about this.
Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think be
paraphrased as follows:
- if we sign ROOT-SERVERS.NET it will trigger large responses (the RRSIGs over
the A and RRSets) whic
* Jim Reid:
> So what? If the served zones are signed, it simply doesn't matter if
> the address of a name server is spoofed or hijacked.
This is only true if the whole DNS tree is signed (and if you don't
value query privacy).
--
Florian Weimer
BFK edv-consulting GmbH htt
Mark Andrews wrote:
> There is plenty of evidence for ISPs modifying DNS responses to
> queries directed to their recursive servers without notifying the
> client population before doing so.
> There are also reports of ISPs modifying DNS responses not directed
> to their recursive servers. If yo
Nicholas Weaver wrote:
> And PKI, dispite what you say, is not broken. Heirarchical trust
> OR web of trust, you have to have some transitive trust to make
> a usable system.
As the Internet (and telco net, too, which has been used for
more than 100 years with moderate security) is the hierarchi
In message <4b946242.7020...@necom830.hpcl.titech.ac.jp>, Masataka Ohta writes:
> Jay Daley wrote:
>
> > I think you are picking your own definition of security to suit
> > your argument.
>
> If you can deny the following reality:
>
> >>The reality, however, is that ISPs are as secure/reliable/
Jay Daley wrote:
> I think you are picking your own definition of security to suit
> your argument.
If you can deny the following reality:
>>The reality, however, is that ISPs are as secure/reliable/trustable
>>as zones, which means DNSSEC does not increase the level of security.
feel free to d
On 7 Mar 2010, at 23:08, George Barwood wrote:
But since unless you manually or do some other finagling can't
easily establish trust if you don't have trust above, root-
servers.net should only sign after .net is signed at this point in
the rollout.
The dependency on .net for the root name
On Mar 7 2010, George Barwood wrote:
The dependency on .net for the root name servers seems strange to me.
Intuitively, I should not have to trust .net to get a validated set
of root name servers.
The names of the root name servers are somewhat arbitrary, and since
they are very integral to th
> But since unless you manually or do some other finagling can't easily
> establish trust if you don't have trust above, root-servers.net should only
> sign after .net is signed at this point in the rollout.
The dependency on .net for the root name servers seems strange to me.
Intuitively, I sh
On Mar 7, 2010, at 11:03 AM, Masataka Ohta wrote:
> Nicholas Weaver wrote:
>
>>> That is, DNSSEC is not secure cryptographically, which is another
>>> reason why not to deploy DNSSEC.
>
>> I don't see what your argument here is.
>>
>> DNSSEC is a "PKI in disguise", and like ANY PKI, you still
On 8/03/2010, at 8:03 AM, Masataka Ohta wrote:
> The problem is that DNSSEC was wrongly advertised to increase
> the level of security.
I think you are picking your own definition of security to suit your argument.
Those promoting DNSSEC have only ever said that the "security" it provides is
b
Nicholas Weaver wrote:
>>That is, DNSSEC is not secure cryptographically, which is another
>>reason why not to deploy DNSSEC.
> I don't see what your argument here is.
>
> DNSSEC is a "PKI in disguise", and like ANY PKI, you still depend
> on trust up the heirarchy,
Yes, you do understand the p
- Original Message -
From: "Jim Reid"
To: "George Barwood"
Cc:
Sent: Sunday, March 07, 2010 10:20 AM
Subject: Re: [DNSOP] Should root-servers.net be signed
> On 7 Mar 2010, at 08:06, George Barwood wrote:
>
>> If root-servers.net is unsigned, it
On Mar 7, 2010, at 4:47 AM, Masataka Ohta wrote:
> Jim Reid wrote:
>
>> The Bad Guy won't have the private keys,
>
> Wrong.
>
> While the Bad Guy as an ISP administrator won't have the private
> keys, the Bad Guy as a zone administrator will have the private
> keys.
>
> That is, DNSSEC is not
Jim Reid wrote:
>> While the Bad Guy as an ISP administrator won't have the private
>> keys, the Bad Guy as a zone administrator will have the private keys.
> True,
Good enough.
> This claim is ridiculous. Unless someone uncovers a fundamental flaw in
> public key cryptography,
The fundament
My recommendation - upgrade your NAT.
regards
joe baptista
On Sun, Mar 7, 2010 at 3:06 AM, George Barwood <
george.barw...@blueyonder.co.uk> wrote:
> I have been wondering about this.
>
> For a resolver behind a NAT firewall that removes port randomization,
> it is possible for an attacker to s
On 7 Mar 2010, at 12:47, Masataka Ohta wrote:
While the Bad Guy as an ISP administrator won't have the private
keys, the Bad Guy as a zone administrator will have the private keys.
True, but irrelevant. The original discussion was a theoretical,
misplaced concern about spoofed priming querie
Jim Reid wrote:
> The Bad Guy won't have the private keys,
Wrong.
While the Bad Guy as an ISP administrator won't have the private
keys, the Bad Guy as a zone administrator will have the private
keys.
That is, DNSSEC is not secure cryptographically, which is another
reason why not to deploy DNS
ah come on Jim... folsk should sign their zones as soon
as they see fit, regardless of parental buy in. so the
one true root or even .net being signed doesnt really matter
if the root-servers.net zone gets signed tomorrow.
how useful it will be, who knows... not sure how the value
proposit
On 7 Mar 2010, at 08:06, George Barwood wrote:
If root-servers.net is unsigned, it's not possible for the resolver
to validate
the set of root IP addresses
So what? If the served zones are signed, it simply doesn't matter if
the address of a name server is spoofed or hijacked. The Bad Guy
George Barwood wrote:
> For a resolver behind a NAT firewall that removes port randomization,
You should also assume that the firewall traps all the packets to
port 53.
> it is possible for an attacker to spoof the priming query (only
> 16 bits of ID protection ).
Yes, it is possible even with
I have been wondering about this.
For a resolver behind a NAT firewall that removes port randomization,
it is possible for an attacker to spoof the priming query ( only 16 bits of
ID protection ).
If root-servers.net is unsigned, it's not possible for the resolver to validate
the set of root IP a
64 matches
Mail list logo
