Pretty soon we'll have a blacklist of DNS servers that don't support DNSSEC
for .gov. =)
Frank
-Original Message-
From: Chris Owen [mailto:[EMAIL PROTECTED]
Sent: Monday, September 22, 2008 10:02 AM
To: NANOG list
Subject: Re: hat tip to .gov hostmasters
-BEGIN PGP SIGN
In article <[EMAIL PROTECTED]> you write:
>* marcus sachs:
>
>> While we wait for applications to become DNSSEC-aware,
>
>Uhm, applications shouldn't be DNSSEC-aware. Down that road lies
>madness. What should an end user do when the browser tells him,
>"Warning: Could not validate DNSSEC signatur
le thirst for Pierian waters.
-Original Message-
From: Kevin Oberman [mailto:[EMAIL PROTECTED]
Sent: Monday, September 22, 2008 12:54
To: Goltz, Jim (NIH/CIT) [E]
Cc: nanog@nanog.org
Subject: Re: hat tip to .gov hostmasters
> Date: Mon, 22 Sep 2008 11:42:33 -0400
> From: "Gol
> Subject: RE: hat tip to .gov hostmasters
> Date: Mon, 22 Sep 2008 11:49:50 -0400
> From: "Keith Medcalf" <[EMAIL PROTECTED]>
>
> If I cannot authenticate the data myself, then it is simply untrusted and u=
> ntrustworthy -- exactly the same as it is now.
Kevin Oberman wrote:
Date: Mon, 22 Sep 2008 11:42:33 -0400
From: "Goltz, Jim (NIH/CIT) [E]" <[EMAIL PROTECTED]>
Remember, they've also "mandated" IPv6 support on all backbones.
Yes, and the goal, relatively insignificant that it was, was met. It was not a requirement that anyone actua
On Sep 22, 2008, at 8:11 AM, Keith Medcalf wrote:
Correct, you need a validating, security-aware stub resolver, or the
ISP needs to validate the records for you.
That would defeat the entire purpose of using DNSSEC. In order for
DNSSEC to actually provide any improvement in security whatsoev
On Sep 22, 2008, at 7:56 AM, Florian Weimer wrote:
I'm not much up on DNSSEC, but don't you need to be using a resolver
that recognizes DNSSEC in order for this to be useful?
Yes, and you also need the trust anchors for the zones you want to
validate configured.
Correct, you need a validat
> Date: Mon, 22 Sep 2008 11:42:33 -0400
> From: "Goltz, Jim (NIH/CIT) [E]" <[EMAIL PROTECTED]>
>
> > nice to see a wholesale DNSSEC rollout underway (I must confess to
> > being a little surprised at the source, too!). Granted, it's a much
> > more manageable problem set than, say, .com - but if o
On Mon, Sep 22, 2008 at 12:14:53PM -0400, Keith Medcalf wrote:
>
> > > If I cannot authenticate the data myself, then it is simply
> > untrusted and untrustworthy -- exactly the same as it is now.
>
> > so I guess PGP web of trust is right out, then?
>
[elided]
>
> If there is a piece of data
On Mon, Sep 22, 2008 at 12:06:57PM -0400, Edward Lewis wrote:
> At 15:30 + 9/22/08, [EMAIL PROTECTED] wrote:
>
> > data. We never finished the discussion on fail/open
> > fail/closed wrt DNSSEC.
>
> And I'd bet a dollar we never will finish that discussion.
> --
> -=-=-=-=-=-=-=-=-=
>
> The end-stage is secure only if at that stage you also set all DNS
> infrastructure to refuse to talk to any DNS client/server/resolver that DOES
> NOT validate and enforce DNSSEC. Up until that point in time, there is NO
> CHANGE in the security posture from what we have today with no DNS
At 15:30 + 9/22/08, [EMAIL PROTECTED] wrote:
data. We never finished the discussion on fail/open
fail/closed wrt DNSSEC.
And I'd bet a dollar we never will finish that discussion.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
> > Just because YOU check the digital signature on an email
> and forward that email to me (either with or without the
> > signature data), if I do not have the capability to verify
> the signature myself, I sure as hell am not going to trust your
> > mere say-so that the signature is valid!
> >
On Mon, Sep 22, 2008 at 8:49 AM, Keith Medcalf <[EMAIL PROTECTED]> wrote:
>> > If even one delegation is unsigned or even one resolver does not
>> > enforce DNSSEC, then, from an actual security perspective, you will
>> > be far worse off than you are now.
>
>> Why?
>
> If the local resolver does
> > That would defeat the entire purpose of using DNSSEC. In order for
> >DNSSEC to actually provide any improvement in security whatsoever,
> >the ROOT ZONE (.) needs to be signed, and every delegation up the
> >chain needs to be signed. And EVERY resolver (whether recursive or
> >local on host
On Mon, Sep 22, 2008 at 8:16 AM, Jason Frisvold <[EMAIL PROTECTED]> wrote:
> On Mon, Sep 22, 2008 at 11:02 AM, Chris Owen <[EMAIL PROTECTED]> wrote:
>> Chicken, meet egg.
>>
>> I think the point of the original post is that one end or the other has to
>> start things. At least we have one US zone
> nice to see a wholesale DNSSEC rollout underway (I must confess to
> being a little surprised at the source, too!). Granted, it's a much
> more manageable problem set than, say, .com - but if one US-controlled
> TLD can do it, hope is buoyed for a .com rollout sooner rather than
> later (although
Jason Frisvold wrote:
On Mon, Sep 22, 2008 at 11:02 AM, Chris Owen <[EMAIL PROTECTED]> wrote:
Chicken, meet egg.
I think the point of the original post is that one end or the other has to
start things. At least we have one US zone doing something on the server
end of things.
Oh, agre
On Mon, Sep 22, 2008 at 05:24:00PM +0200, Florian Weimer wrote:
> * marcus sachs:
>
> > While we wait for applications to become DNSSEC-aware,
>
> Uhm, applications shouldn't be DNSSEC-aware. Down that road lies
> madness. What should an end user do when the browser tells him,
> "Warning: Could
On Mon, Sep 22, 2008 at 11:11:40AM -0400, Keith Medcalf wrote:
>
> > Correct, you need a validating, security-aware stub resolver, or the
> > ISP needs to validate the records for you.
>
> That would defeat the entire purpose of using DNSSEC. In order for DNSSEC to
> actually provide any improv
* marcus sachs:
> While we wait for applications to become DNSSEC-aware,
Uhm, applications shouldn't be DNSSEC-aware. Down that road lies
madness. What should an end user do when the browser tells him,
"Warning: Could not validate DNSSEC signature on www.example.com,
signature has expired. Con
On Mon, Sep 22, 2008 at 10:52:42AM -0400, Jason Frisvold wrote:
> On Mon, Sep 22, 2008 at 10:34 AM, Scott Francis <[EMAIL PROTECTED]> wrote:
> > nice to see a wholesale DNSSEC rollout underway (I must confess to being a
> > little surprised at the source, too!). Granted, it's a much more manageable
* Keith Medcalf:
>> Correct, you need a validating, security-aware stub resolver, or the
>> ISP needs to validate the records for you.
>
> That would defeat the entire purpose of using DNSSEC. In order for
>DNSSEC to actually provide any improvement in security whatsoever,
>the ROOT ZONE (.) need
On Mon, Sep 22, 2008 at 11:02 AM, Chris Owen <[EMAIL PROTECTED]> wrote:
> Chicken, meet egg.
>
> I think the point of the original post is that one end or the other has to
> start things. At least we have one US zone doing something on the server
> end of things.
Oh, agreed, absolutely. And it's
puters are not fully
DNSSEC-aware and won't be for many years to come.
Marc
-Original Message-
From: Florian Weimer [mailto:[EMAIL PROTECTED]
Sent: Monday, September 22, 2008 11:10 AM
To: Colin Alston
Cc: nanog@nanog.org
Subject: Re: hat tip to .gov hostmasters
* Colin Alston
* Simon Vallet:
>> I'm not much up on DNSSEC, but don't you need to be using a resolver
>> that recognizes DNSSEC in order for this to be useful?
>
> You do -- and last time I checked few native resolvers actually did :
> glibc doesn't, and I'd be surprised if the Windows resolver does
Windows do
> Correct, you need a validating, security-aware stub resolver, or the
> ISP needs to validate the records for you.
That would defeat the entire purpose of using DNSSEC. In order for DNSSEC to
actually provide any improvement in security whatsoever, the ROOT ZONE (.)
needs to be signed, and ev
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, 22 Sep 2008 10:02:21 -0500
Chris Owen <[EMAIL PROTECTED]> wrote:
> Chicken, meet egg.
>
> I think the point of the original post is that one end or the other
> has to start things. At least we have one US zone doing something on
> the se
* Colin Alston:
>> Correct, you need a validating, security-aware stub resolver, or the
>> ISP needs to validate the records for you.
> In public space like .com, don't you need some kind of central
> trustworthy CA?
No, why would you? You need to trust the zone operator, and you need
some trus
Florian Weimer wrote:
> * Jason Frisvold:
>
>> On Mon, Sep 22, 2008 at 10:34 AM, Scott Francis <[EMAIL PROTECTED]> wrote:
>>> nice to see a wholesale DNSSEC rollout underway (I must confess to being a
>>> little surprised at the source, too!). Granted, it's a much more manageable
>>> problem set t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 22, 2008, at 9:59 AM, Simon Vallet wrote:
On Mon, 22 Sep 2008 10:52:42 -0400
"Jason Frisvold" <[EMAIL PROTECTED]> wrote:
I'm not much up on DNSSEC, but don't you need to be using a resolver
that recognizes DNSSEC in order for this to be use
On Mon, 22 Sep 2008 10:52:42 -0400
"Jason Frisvold" <[EMAIL PROTECTED]> wrote:
> I'm not much up on DNSSEC, but don't you need to be using a resolver
> that recognizes DNSSEC in order for this to be useful?
You do -- and last time I checked few native resolvers actually did :
glibc doesn't, and I
* Jason Frisvold:
> On Mon, Sep 22, 2008 at 10:34 AM, Scott Francis <[EMAIL PROTECTED]> wrote:
>> nice to see a wholesale DNSSEC rollout underway (I must confess to being a
>> little surprised at the source, too!). Granted, it's a much more manageable
>> problem set than, say, .com - but if one US
On Mon, Sep 22, 2008 at 10:34 AM, Scott Francis <[EMAIL PROTECTED]> wrote:
> nice to see a wholesale DNSSEC rollout underway (I must confess to being a
> little surprised at the source, too!). Granted, it's a much more manageable
> problem set than, say, .com - but if one US-controlled TLD can do i
34 matches
Mail list logo
