On Oct 28, 2012, at 7:40 AM, bert hubert <bert.hub...@netherlabs.nl> wrote:
> On Sat, Oct 27, 2012 at 11:43:40PM -0700, David Conrad wrote: >>> It appears that source port randomization works. >> >> Was there ever any doubt? The question wasn't (isn't?) whether source > > Yes, people used the Kaminsky hack as a way to push DNSSEC. DNSSEC does not defend against the Kaminsky hack? > So perhaps doubt was *instilled*. Does port randomisation work against a MITM attack? >> making the communication channel irrelevant. IMHO, it is a better >> long-term solution (folks who know my opinion on DNSSEC may now require >> smelling salts). > > As an implementor, after two years, we keep finding DNSSEC corner cases that > make the authors of the very RFCs swoon. As the co-author of the DNSSEC RFCs (4033/4034/4035/5155), I have yet to be swooned by any of the DNSSEC corner cases you've found. > The effort of implementing everything correctly is just staggering, our > number of regression tests is exploding just to try to keep everything in > check. Isn't the number of regression tests related to the number of bugs introduced? > It might have been easier all round to just start from scratch and not > pretend that this is 'an enhancement of DNS'. BIND9 was started from scratch with the main purpose of adding DNSSEC. NSD2/3/4 and Unbound(Java/C) and BIND10 were started from scratch with DNSSEC support. I agree that adding DNSSEC to vanilla code is much harder. > The length of the DNSSEC RFCs > exceeds the length of the standardizing RFCs of DNS. Not at all, both 1034 and 1035 are longer that 4034 and 4035. There is an awful lot of non-dnssec standards that update 1034 and 1035 that I could add, but I think I've already proven my point. > By the way, I know some people will immediately chime in DNSSEC isn't that > hard, but you won't hear an implementor among them… As an implementer, I would not say that DNSSEC isn't that hard. It is not rocket science either. Warm Regards, Roy _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs