Firewall Wizards mailing list archives
Re: DNS vs. Bernstein
From: tqbf () sockpuppet org
Date: Sat, 15 Feb 2003 14:20:30 -0800
[ arbitrary message clip for context ]
Thomas, that comment is ridiculously specious. I asked if Tobias was using nym-based security and then discussed why it is not practical.
Rob, calling my comments ``specious'' doesn't make them specious. Neither does conconcting straw-man arguments. Not only am I not stepping into this discussion to defend ``nym-based security'', but you're intentionally oversimplifying Bernstein's suggestion to make a fantasy argument even easier to win. Let me assume that you're responding to my message in good faith, and suggest that we're not going to come to a constructive resolution by ignoring each other's arguments. I want to point out that ``DNSSEC requirements'' are not a credible reason to create hassles for firewall implementors. I think I have a good point in my favor: until [useful]*.COM is signed, EDNS0 and DNSSEC don't solve any real-world problems. You can say this is a chicken-and-egg problem because middleboxes are keeping DNSSEC from being deployed. Unfortunately, you'll have to contend with Vixie: ``it's impossible to know how many flag days we'll have before it's safe to burn ROMs... 2353 is already dead''. I think ``working code'' should come before attempts to build ``rough consensus''. You want to point out that DNSSEC is a more credible solution than ``nyms''. Fine: make a good-faith effort to take the idea of ``names are linked to keys directly'' to its logical conclusion. Saying ``we should all go back to a hosts file and copying it from machine to machine'' is obviously not a good-faith effort: it assumes a ``nym-based system'' is simply the idea that names embed links to their keys. No competant engineer would consider that a real proposal. I don't suggest you are incompetant. I haven't taken much time to think about ``nym-based security'' (my problem with DNSSEC ends at its presumptiousness and lack of real-world deployment, long before we get to alternative suggestions). But, let me tell you what I start thinking about when I think about when confronted with this problem: names change when keys need to change, and we make it easier to propagate name changes. We rely on systems whose keys don't change often to act as signposts to link to systems who do. Have you thought about any of this? Of course, one of the reasons I haven't either is that we're talking about DNS names that look like ``rkjhf934f.sockpuppet.org''. Don't you think that the author of the second-most popular open-source DNS server on the Internet understands this as well? Our normal assumptions about the role of DNS go out the window in this environment. Clearly everyone understands this. So what point are you trying to make, again? That people shouldn't mention Bernstein in discussions about DNS security? --- Thomas H. Ptacek PS: _You_ didn't mention Bernstein. Tobias did. Your response was dedicated to discussing him because you find his ``nym'' idea offensive. PPS: Let's establish that we can take Vixie's quote from: http://groups.google.com/groups?selm=arhtjh%24ags3%241%40isrv4.isc.org PPPS: Putting quotes around ``Vixie'' doesn't make it an epithet. Putting quotes around ``implementor'' does not make Bernstein less of one. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Allowing DNS servers to operate behind NetScreen 500, (continued)
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 03)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 13)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 04)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 Reckhard, Tobias (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 tqbf (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Paul D. Robertson (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 15)
- Re: DNS vs. Bernstein tqbf (Feb 15)
- Re: DNS and Firewalls Rob Payne (Feb 20)
- Re: DNS Extensions and Firewalls Thomas H. Ptacek (Feb 21)
- Re: DNS Extensions and Firewalls Frank Knobbe (Feb 22)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 03)
- Re: Allowing DNS servers to operate behind NetScreen 500 Volker Tanger (Feb 17)
- Re: Allowing DNS servers to operate behind NetScreen 500 Mike Scher (Feb 17)
- Re: Allowing DNS servers to operate behind NetScreen 500 Chuck Swiger (Feb 17)
- Re: Allowing DNS servers to operate behind NetScreen 500 David Lang (Feb 18)