On 25 Oct 2012, at 20:33 , Lorenzo Colitti wrote: >> I'm also nervous about both DNS authorisation >> and DNS authentication. Who is allowed to make >> which DNS advertisements and how do I authenticate >> the received DNS advertisement as both valid and >> authorised ? >> > > I don't see a difference. There is no authorisation or > authentication today. When you get a DNS server via DHCP, > you believe it, or choose not to believe it, > based on no information at all.
1) DHCP Authentication is standardised. [RFC 3118] Multiple implementations of DHCP Authentication exist. So this can be deployed/used in environments where DHCP Authentication is deemed sensible. 2) DNS Security is standardised. [RFC 4033 et alia]. Multiple implementations of DNSsec exist. Deployment of DNSsec is growing much faster than initially expected. So this can be deployed/used in environments where DNS Authentication is deemed sensible. 3) It appears that DNSsec still can be used with mDNS. So again, this can be deployed/used in environments where DNS authentication is deemed sensible. So, a proposal with no capability to authenticate information, or address authorisation issues, seems very much like a non-starter. At the very least, authentication needs to be specified/available, and the authorisation issues need to be addressed. > If there's a rogue DHCP server on the link that hands you > a rogue DNS server, then guess what, you lose. This is not true if DHCP Authentication has been deployed. Instead, the quote above is a very good supporting justification for comments that we need to specify mechanisms both that can provide authentication and do address authorisation issues. (From a different, purely practical, perspective) I would guess that any proposal with less security capability than we have today (i.e. with DHCP Authentication, DNSsec) would be rejected by the IETF Security Area when they perform their Area Review (which is usual prior to IESG approval of any IETF track document). Yours, Ran _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
