Firewall Wizards mailing list archives

Re: DNS Extensions and Firewalls

From: "Thomas H. Ptacek" <tqbf () pobox com>
Date: Fri, 21 Feb 2003 15:37:04 -0500


[ clipped for context ]

I don't care about [useful]*.com until the root zone is signed to have
a verifiable chain of trust through com to [useful]*.com.  EDNS0
solves real-world problems, as others have pointed out, and not


DNS protocol discussions can spin out of control very quickly. Fortunately,
what's really at issue is a simple point.

Non-EDNS0, Non-DNSSEC servers constitute more than 70% of the installed base
of DNS servers. At the present moment, DNSSEC servers don't solve any
Internet-wide security problems. Somehow, despite the fact that we can cite
large record sets from AOL or CNN, the entire Internet seems to be
functioning just fine.

The "real-world" problems tied to EDNS0 seem awfully abstract and
subjective. "Why should DNS have to use TCP for large record sets?" I don't
know. Why should SNMP have to use ASN.1? I'd love to never have to write BER
code again. Unfortunately, the deployed system works. If "need to switch to
TCP DNS" is a real argument, you need to quantify it. Name a customer that
is being bitten by lack of EDNS0, and make a case for how much money they
are losing. 

But this is all completely irrelevant to firewall implementers. EDNS0 is a
new, peripheral extension to the core DNS protocols. What incentive do
implementers have for embracing these extensions?

As Mike Scher said in a previous post, many of these issues rapidly denature
into the question of "why did DNS++ choose to change the semantics of the
deployed DNS protocol, but maintain the same port?" These interoperability
problems could largely have been avoided.

---
Thomas H. Ptacek

PS: I'm happy to move away from the Bernstein discussion. However, you
    don't make it easy with innuendo about "single developer projects".
    Despite "single developer status", djbdns is the second-most popular
    DNS implementation. Despite "single developer status", qmail is the
    second-most popular Unix SMTP implementation. Both projects, in
    massive use across the Internet, maintain amazing security track
    records, despite huge incentive to unseat them.

PPS: I am, incidentally, curious about the experience you yourself have
     had shipping infrastructure software. Maybe this argument could be
     much more productive if we established that we shared a common
     experience evaluating and building networking software.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Allowing DNS servers to operate behind NetScreen 500, (continued)
- - - Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 13)
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 04)
  - Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 Reckhard, Tobias (Feb 14)
  - Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
    - Re: Allowing DNS servers to operate behind NetScreen 500 tqbf (Feb 15)
    - Re: Allowing DNS servers to operate behind NetScreen 500 Paul D. Robertson (Feb 15)
    - Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 15)
    - Re: DNS vs. Bernstein tqbf (Feb 15)
    - Re: DNS and Firewalls Rob Payne (Feb 20)
    - Re: DNS Extensions and Firewalls Thomas H. Ptacek (Feb 21)
    - Re: DNS Extensions and Firewalls Frank Knobbe (Feb 22)
- RE: Allowing DNS servers to operate behind NetScreen 500 Reckhard, Tobias (Feb 17)
  - Re: Allowing DNS servers to operate behind NetScreen 500 Volker Tanger (Feb 17)
    - Re: Allowing DNS servers to operate behind NetScreen 500 Mike Scher (Feb 17)
  - Re: Allowing DNS servers to operate behind NetScreen 500 Chuck Swiger (Feb 17)
    - Re: Allowing DNS servers to operate behind NetScreen 500 David Lang (Feb 18)