On Tue, 19 Aug 2008, bert hubert wrote:
Is there some sort of shield preventing people from reading or even arguing
with
http://www.ops.ietf.org/lists/namedroppers/namedroppers.2008/msg01213.html
?
All those things can be done today, unilaterally, and they start working
from the moment you enable them.
Unless, for example, you're behind a NAT router undoing source port
randomizations.
Yes, a lot of large companies with enough bandwidth do silly things like that.
In fact, I'm so far not having luck getting around even my 3-year old
primitive anti-spoofing behaviour. I've reduced the number of ports I use to
10 to make things more doable, but no luck.
So please consider other options before repeating the holy mantra 'DNSSEC is
the only solution'.
Making a race harder is not a solution. It is a workaround. What is needed
is a real solution. 10 years ago, in 1998, most people had bandwidth of
about 14k4 on dialup and the transaction ID was good enough. Now, when
I move into a new house here I get Fast Ethernet, and we know that it is
not good enough and we patched it up using source port randomisations. In
another 10 years, 1 billion mobile phones with have that bandwidth each.
Sure, it was cool we could delay a real solution today using port
randomisations,
but it's still a workaround, one that was resisted as long as we could for
good reasons. Do we really want to wait another 10 years and then add another
few bits with something like dns-0x20? And who says there won't be easier
races to be run in the near future? Or yet more not-so-random transaction
ids or not-so-random source ports?
On top of that, people seem to forget about the simpler cases of DNS spoofing.
When we're on 3G and wifi all the time, anyone can see our DNS requests, and
spoofing those is trivial. Your quoted URL disregards that as "a lost case
anyway", which it is not. If deploying DNSSEC, attackers can see and try to
modify all the way, but it won't help them lure me to their evil sites. And
dns-0x20 or soure port randomistion is not going to help me there.
The case for a theoretically secure DNS is long past us. If I can't use the
internet at Star Bucks safely, it is not a solution for this era.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
