Firewall Wizards mailing list archives
Re: DNS Extensions and Firewalls
From: "Thomas H. Ptacek" <tqbf () pobox com>
Date: Fri, 21 Feb 2003 15:37:04 -0500
[ clipped for context ]
I don't care about [useful]*.com until the root zone is signed to have a verifiable chain of trust through com to [useful]*.com. EDNS0 solves real-world problems, as others have pointed out, and not
DNS protocol discussions can spin out of control very quickly. Fortunately, what's really at issue is a simple point. Non-EDNS0, Non-DNSSEC servers constitute more than 70% of the installed base of DNS servers. At the present moment, DNSSEC servers don't solve any Internet-wide security problems. Somehow, despite the fact that we can cite large record sets from AOL or CNN, the entire Internet seems to be functioning just fine. The "real-world" problems tied to EDNS0 seem awfully abstract and subjective. "Why should DNS have to use TCP for large record sets?" I don't know. Why should SNMP have to use ASN.1? I'd love to never have to write BER code again. Unfortunately, the deployed system works. If "need to switch to TCP DNS" is a real argument, you need to quantify it. Name a customer that is being bitten by lack of EDNS0, and make a case for how much money they are losing. But this is all completely irrelevant to firewall implementers. EDNS0 is a new, peripheral extension to the core DNS protocols. What incentive do implementers have for embracing these extensions? As Mike Scher said in a previous post, many of these issues rapidly denature into the question of "why did DNS++ choose to change the semantics of the deployed DNS protocol, but maintain the same port?" These interoperability problems could largely have been avoided. --- Thomas H. Ptacek PS: I'm happy to move away from the Bernstein discussion. However, you don't make it easy with innuendo about "single developer projects". Despite "single developer status", djbdns is the second-most popular DNS implementation. Despite "single developer status", qmail is the second-most popular Unix SMTP implementation. Both projects, in massive use across the Internet, maintain amazing security track records, despite huge incentive to unseat them. PPS: I am, incidentally, curious about the experience you yourself have had shipping infrastructure software. Maybe this argument could be much more productive if we established that we shared a common experience evaluating and building networking software. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Allowing DNS servers to operate behind NetScreen 500, (continued)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 13)
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 04)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 Reckhard, Tobias (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 tqbf (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Paul D. Robertson (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 15)
- Re: DNS vs. Bernstein tqbf (Feb 15)
- Re: DNS and Firewalls Rob Payne (Feb 20)
- Re: DNS Extensions and Firewalls Thomas H. Ptacek (Feb 21)
- Re: DNS Extensions and Firewalls Frank Knobbe (Feb 22)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 Volker Tanger (Feb 17)
- Re: Allowing DNS servers to operate behind NetScreen 500 Mike Scher (Feb 17)
- Re: Allowing DNS servers to operate behind NetScreen 500 Chuck Swiger (Feb 17)
- Re: Allowing DNS servers to operate behind NetScreen 500 David Lang (Feb 18)