This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-operations] [dns-wg] "DNS Vulnerabilities" paper hits the mainstream
- Previous message (by thread): [dns-operations] [dns-wg] "DNS Vulnerabilities" paper hits the mainstream
- Next message (by thread): [dns-operations] [dns-wg] "DNS Vulnerabilities" paper hits the mainstream
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Bill Larson
wllarso at swcp.com
Mon May 1 02:15:10 CEST 2006
On Apr 30, 2006, at 5:40 PM, Niall O'Reilly wrote: > On 30 Apr 2006, at 20:02, Jim Reid wrote: >> Niall O'Reilly said he posted something through the >> "have your say" feature of the BBC web site. > > FYI, here's what I posted. > > Although the observations described at http://news.bbc.co.uk/1/hi/ > technology/4954208.stm > are interesting and raise important issues, their relation to the > conclusions made appears > to be at best only tenuous. Internet experts are far from convinced > of the rigour of Prof. > Sirer's logic. It is disappointing to see BBC so ready to report just > one side of a story. I'm not disagreeing with anybody here, I'm not exactly sure what I personally believe at this time and I hope that this discussion helps me make up my mind. But, I keep thinking back on an old security tool that I used to use and the implications of it's design on this issue. Many years ago Dan Farmer wrote a tool to audit the security of a system called COPS. This was built on the idea that the security of a system can be no greater than the security of it's weakest link. How can the "security of the DNS system" be considered as any better than the security of the parent servers? This is the basis for the CoDoNS investigation. Using an example from the paper. If the FBI has a delegated server that can be easily hijacked, then this would mean that a significant number of queries for information in the "fbi.gov" domain could be subverted with invalid info. This is a security issue and it is not an issue under the direct control of the FBI (except for their decision to base their operation on a third party service). Isn't this the same type of security issue evaluated with COPS? Isn't this just an issue of cascading of trust? Why should one situation be considered acceptable while another is unacceptable? Please understand, I am not convinced that CoDoNS is any improvement to the existing DNS system. I am still trying to develop my own informed opinion rather regurgitating than what Cornel or the BBC says. Bill Larson
- Previous message (by thread): [dns-operations] [dns-wg] "DNS Vulnerabilities" paper hits the mainstream
- Next message (by thread): [dns-operations] [dns-wg] "DNS Vulnerabilities" paper hits the mainstream
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]