Re: DNS vs. Bernstein

[tqbf () sockpuppet org]

[ arbitrary message clip for context ]
> Thomas, that comment is ridiculously specious.  I asked if Tobias was
> using nym-based security and then discussed why it is not practical.

Rob, calling my comments ``specious'' doesn't make them specious. Neither
does conconcting straw-man arguments. Not only am I not stepping into this
discussion to defend ``nym-based security'', but you're intentionally
oversimplifying Bernstein's suggestion to make a fantasy argument even
easier to win. Let me assume that you're responding to my message in good
faith, and suggest that we're not going to come to a constructive
resolution by ignoring each other's arguments.

I want to point out that ``DNSSEC requirements'' are not a credible reason
to create hassles for firewall implementors. I think I have a good point
in my favor: until [useful]*.COM is signed, EDNS0 and DNSSEC don't solve
any real-world problems. You can say this is a chicken-and-egg problem
because middleboxes are keeping DNSSEC from being deployed. Unfortunately,
you'll have to contend with Vixie: ``it's impossible to know how many flag
days we'll have before it's safe to burn ROMs... 2353 is already dead''. 

I think ``working code'' should come before attempts to build ``rough
consensus''.

You want to point out that DNSSEC is a more credible solution than
``nyms''. Fine: make a good-faith effort to take the idea of ``names are
linked to keys directly'' to its logical conclusion. Saying ``we should
all go back to a hosts file and copying it from machine to machine'' is
obviously not a good-faith effort: it assumes a ``nym-based system'' is
simply the idea that names embed links to their keys. No competant
engineer would consider that a real proposal. I don't suggest you are
incompetant. 

I haven't taken much time to think about ``nym-based security'' (my
problem with DNSSEC ends at its presumptiousness and lack of real-world
deployment, long before we get to alternative suggestions). But, let me
tell you what I start thinking about when I think about when confronted
with this problem: names change when keys need to change, and we make it
easier to propagate name changes. We rely on systems whose keys don't
change often to act as signposts to link to systems who do. Have you
thought about any of this?

Of course, one of the reasons I haven't either is that we're talking about
DNS names that look like ``rkjhf934f.sockpuppet.org''. Don't you think
that the author of the second-most popular open-source DNS server on the
Internet understands this as well? Our normal assumptions about the role
of DNS go out the window in this environment. Clearly everyone understands
this.

So what point are you trying to make, again? That people shouldn't mention
Bernstein in discussions about DNS security? 

---
Thomas H. Ptacek

PS: _You_ didn't mention Bernstein. Tobias did. Your response was
    dedicated to discussing him because you find his ``nym'' idea
    offensive.

PPS: Let's establish that we can take Vixie's quote from:
     http://groups.google.com/groups?selm=arhtjh%24ags3%241%40isrv4.isc.org
     
PPPS: Putting quotes around ``Vixie'' doesn't make it an epithet. Putting
      quotes around ``implementor'' does not make Bernstein less of one.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards