Let me try to take care of both of these related points together: Joe Greco <[email protected]>: > Then we merely move on to the issue of cache poisoning individual > clients. > > Assuming that the CPE is a NAT (effectively firewalling clients from > poisoning attacks) and/or that the individual clients have well- > designed, impervious resolvers is likely to be a fail.
David Conrad <[email protected]>: > As I understand it, you're proposing pushing the resolvers out to the > edges That is not what we are proposing. We are not suggesting resolvers be *moved*, but rather *removed*. That is, clients simply do name lookup on their own. Name lookup at an endpoint is different from name lookup in an intermediate resolver. An intermediate resolver looks up a name on behalf of other hosts. It therefore *must* listen for lookup requests that roll in from the network. This is fundamental to a resolver's operation---it simply *must* accept requests from other hosts. Don't get me wrong.... it doesn't have to accept all requests and as we know, too many resolvers accept requests they should not. All I am saying is that the resolver cannot do its job without accepting requests from other hosts. On the other hand, an endpoint can look up a name without listening for any request from the network. We suggest this be an entirely local operation. Think of it like this: just because I want to load the cnn.com web page I don't have to run httpd. Well, just because I want to look up an A record for cnn.com doesn't mean I have to run bind. Could there be attacks against the internal lookup process on a host? Of course. But, those are attacks that require some sort of access to the end host first. David Conrad <[email protected]>: > if you're not doing DNSSEC at the edges, Let me be clear.... I am not arguing against DNSSEC. A crypto signed record is always better than a clear text record. But, DNSSEC is still not here and it seems to me that factoring out some of the intermediaries that we know sometimes both play games and have games played on them may well be a useful path. allman
pgpQhzuXt7GqY.pgp
Description: PGP signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
