Hello, I am presenting this document for adoption in either the intarea wg or the dnsext wg or dnsop wg. I believe that I have considered all the comments that I received and incorporated what was applicable into this draft thus making it a much improved draft. I also read most of the RFCs dealing with SSH and its use in DNS that Dave suggested. Even though you say that CGA is complex, I proved in my draft, based on the experimental results, that it can be generated less than 600 milliseconds. SSH also has its own complexity. As you know, SSH uses different ports, and so, one needs to integrate SSH with the current DNS implementations in order to have the authentication accepted using port 22. It is for this reason that I do not believe that the use of SSH is a good solution for the current problem, i.e., secure authentication in NDP and SEND enabled networks. My solution only involves the use of the same cached value available in the node. I have implemented this solution and the implementation of CGA-TSIG won the first place prize at the 5th IPv6 International Contest as a solution for securing DNS against spoofing attacks. Here is a summary of what is being proffered: - Using the cached value, available in a node, for authentication purposes for o A client to authenticate a resolver o A DNS server to authenticate another DNS server or a client who wants to update its resource records on that server. - This approach is applicable in all networks using SEND to secure them - The implementation of this approach is now available for a Windows client (that I will extend to Linux clients) and for PowerDNS as a server. For the client, it is easily installed. A user, with little computer experience, can install it as he just needs to click on the "NEXT" button. But for PowerDNS, as the powerDNS has its own configuration, it is equally as easy. - Analysis of the data from our many experiments shows that the CGA generation, using a sec value 1, which provides enough security for the network, is less than 600 milliseconds. Finally, the purpose of this draft is to demonstrate how to minimize human intervention, as much as possible, in performing the update process and resolving a query . When, in a network ,a good node (a legitimate node) goes bad, because of a virus or an attacker takes control of one of the legitimate nodes in a network, CGA-TSIG will prevent spoofing attacks against this DNS server. If there are any questions with regard to this draft, feel free to ask me for clarification. Finally, do not forget to reply with +1 if you would like to support this solution. http://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig-01 Thank you, Hosnieh
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
