Comments on: DNS Secondaries and Web Security http://etbe.coker.com.au/2008/08/21/dns-secondaries-web-security/ Linux, politics, and other interesting things Thu, 09 Feb 2012 01:09:24 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: etbe http://etbe.coker.com.au/2008/08/21/dns-secondaries-web-security/comment-page-1/#comment-15433 etbe Fri, 22 Aug 2008 02:29:36 +0000 http://etbe.coker.com.au/?p=717#comment-15433 bd_: Good idea! I think that assigning all addresses from a /96 to a single host would require either raw network access or some changes to the OS, while assigning a mere 1024 addresses could be achieved by a loop that runs "ip addr add" (or similar). wg: I believe that DNSSEC has at least as much overhead as the proposal to send two requests - which was rejected because of the overhead. Incidentally when using your initials as a link (which is what happens when you enter a URL when submitting a comment) you might want to use upper-case to make it more readable. Anon: The ignoring of unsolicited answers is a solution to a previous DNS problem. I believe that the current problems don't involve such bugs. bd_: Good idea! I think that assigning all addresses from a /96 to a single host would require either raw network access or some changes to the OS, while assigning a mere 1024 addresses could be achieved by a loop that runs “ip addr add” (or similar).

wg: I believe that DNSSEC has at least as much overhead as the proposal to send two requests – which was rejected because of the overhead.

Incidentally when using your initials as a link (which is what happens when you enter a URL when submitting a comment) you might want to use upper-case to make it more readable.

Anon: The ignoring of unsolicited answers is a solution to a previous DNS problem. I believe that the current problems don’t involve such bugs.

]]> By: Anonymous http://etbe.coker.com.au/2008/08/21/dns-secondaries-web-security/comment-page-1/#comment-15432 Anonymous Fri, 22 Aug 2008 00:40:50 +0000 http://etbe.coker.com.au/?p=717#comment-15432 Re: "But it should be practical to implement a system based on a federal agency distributing CDs with configuration files for BIND and any other DNS servers that are widely used (is any other DNS server widely used?)." djbdns is another DNS server, with configuration files very unlike BIND. It was also randomizes ports (and always has), and ignores answers to questions it didn't ask, which means it was immune to this bug. @wq The same people who shipped a DNS server with all the bugs and implementation flaws that caused this problem, are the same people who say DNSSEC is the solution. Why do you trust them? Re: “But it should be practical to implement a system based on a federal agency distributing CDs with configuration files for BIND and any other DNS servers that are widely used (is any other DNS server widely used?).”

djbdns is another DNS server, with configuration files very unlike BIND. It was also randomizes ports (and always has), and ignores answers to questions it didn’t ask, which means it was immune to this bug.

@wq

The same people who shipped a DNS server with all the bugs and implementation flaws that caused this problem, are the same people who say DNSSEC is the solution. Why do you trust them?

]]> By: wg http://etbe.coker.com.au/2008/08/21/dns-secondaries-web-security/comment-page-1/#comment-15415 wg Thu, 21 Aug 2008 02:53:22 +0000 http://etbe.coker.com.au/?p=717#comment-15415 My concern with these (and other) interim fixes to the "problems" with DNS, is that they only delay the final solution; DNSSEC. The sooner this issue is forced, the better, I think. My concern with these (and other) interim fixes to the “problems” with DNS, is that they only delay the final solution; DNSSEC. The sooner this issue is forced, the better, I think.

]]> By: bd_ http://etbe.coker.com.au/2008/08/21/dns-secondaries-web-security/comment-page-1/#comment-15413 bd_ Thu, 21 Aug 2008 02:23:45 +0000 http://etbe.coker.com.au/?p=717#comment-15413 Another reason for ipv6 - with ipv6 one could give their DNS server a /96 (the size of the ipv4 internet today) easily. Plus source port randomization and DNS's built-in request IDs gives 64 bits of entropy, which ought to be enough (and the root and GTLD servers support this already!) Another reason for ipv6 – with ipv6 one could give their DNS server a /96 (the size of the ipv4 internet today) easily. Plus source port randomization and DNS’s built-in request IDs gives 64 bits of entropy, which ought to be enough (and the root and GTLD servers support this already!)

]]>