About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [dns-operations] [dns-wg] "DNS Vulnerabilities" paper hits the mainstream

  • To: "Niall O'Reilly" <Niall.oReilly@localhost
  • From: Bill Larson wllarso@localhost
  • Date: Sun, 30 Apr 2006 18:15:10 -0600
  • Cc: dns-operations@localhost, dns-wg@localhost
On Apr 30, 2006, at 5:40 PM, Niall O'Reilly wrote:


On 30 Apr 2006, at 20:02, Jim Reid wrote:

Niall O'Reilly said he posted something through the
"have your say" feature of the BBC web site.


FYI, here's what I posted.

Although the observations described at http://news.bbc.co.uk/1/hi/
technology/4954208.stm
are interesting and raise important issues, their relation to the
conclusions made appears
to be at best only tenuous. Internet experts are far from convinced
of the rigour of Prof.
Sirer's logic. It is disappointing to see BBC so ready to report just
one side of a story.
I'm not disagreeing with anybody here, I'm not exactly sure what I personally believe at this time and I hope that this discussion helps me make up my mind. But, I keep thinking back on an old security tool that I used to use and the implications of it's design on this issue.
Many years ago Dan Farmer wrote a tool to audit the security of a system called COPS. This was built on the idea that the security of a system can be no greater than the security of it's weakest link. How can the "security of the DNS system" be considered as any better than the security of the parent servers? This is the basis for the CoDoNS investigation.
Using an example from the paper. If the FBI has a delegated server that can be easily hijacked, then this would mean that a significant number of queries for information in the "fbi.gov" domain could be subverted with invalid info. This is a security issue and it is not an issue under the direct control of the FBI (except for their decision to base their operation on a third party service).
Isn't this the same type of security issue evaluated with COPS? Isn't this just an issue of cascading of trust? Why should one situation be considered acceptable while another is unacceptable?
Please understand, I am not convinced that CoDoNS is any improvement to the existing DNS system. I am still trying to develop my own informed opinion rather regurgitating than what Cornel or the BBC says. 

Bill Larson
Post To The List:

Replies

Message References

<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | Copyright Statement
RIPE.NET Homepage LIR Portal RIPE Community