Re: [DNSOP] I think we may have a solution - DNSCurve
On Wed, Sep 03, 2008 at 11:33:54AM +1000, Mark Andrews [EMAIL PROTECTED] wrote a message of 24 lines which said: A NXDOMAIN response if cyptographically proved with DNSSEC. There are two possibilities: 1) I understand nothing to DNSSEC (this is quite possible, giving my experience with it and the complexity of the protocol). 2) You are playing with words. The domain example.org does not exist can be cyptographically proved with DNSSEC, that's correct. But you need NSEC* records to do so, you cannot directly sign a NXDOMAIN response. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] I think we may have a solution - DNSCurve
On Sep 3, 2008, at 8:13 AM, Stephane Bortzmeyer wrote: On Wed, Sep 03, 2008 at 11:33:54AM +1000, Mark Andrews [EMAIL PROTECTED] wrote a message of 24 lines which said: A NXDOMAIN response if cyptographically proved with DNSSEC. 2) You are playing with words. The domain example.org does not exist can be cyptographically proved with DNSSEC, that's correct. But you need NSEC* records to do so, you cannot directly sign a NXDOMAIN response. Mark is not playing with words. His statement is absolutely correct. He did not state nor imply that the NXDOMAIN response is _signed_, nor that rcode=3 (name error) is _signed_. The header is indeed not signed with DNSSEC. The header includes the RCODE, therefor the RCODE is not signed. What can be _proved_ by validating a combination of records (an NXDOMAIN response), is that the rcode=3 (name error) is correct or not. I see Mark's message as a clarification, not a rebuttal. Roy ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
Dean, I'm not going to argue this point by point with you, I simply provided data points on what folks who do this as part of their day job have observed and reported. You can choose to accept this, or not. As for bots and CCs and what's done in practice today and what's not, well, I know a little about that, as well as many other folks here on the list. If you have pointers to any empirical or even anecdotal evidence I'd love to consider that in the future, but conjecture provides little value. No, there's quite a wide distribution of responses, but mostly *OG types in various regions. Ahh. Figured as much. Out of curiosity, who do you believe should respond to a security operations surveys - beyond those in security ops positions, that is? Mr. McPherson is associated with NANOG, attending 18 meeting as of NANOG 42; Only 46 people have attended more NANOG meetings than Mr. McPherson. Interesting tidbit, I had no idea. Useless, but interesting :-) Useless to you perhaps. Not so useless to everyone. But its interesting that you aren't concerned by the association with the other improper activities. I guess you know about those, so it comes as no surprise. I've been to twice as many IETF meetings, and here, just like there, I've learned over the years that there's cruft everywhere and the key is being able to apply appropriate filters based on one's personal experiences and opinions. -danny ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Reflectors are Evil was Re: Anycast was Re: Cache poisoning on DNSSEC
On Sep 3, 2008, at 9:42 AM, Dean Anderson wrote: I choose to report on why this data is not credible and should not be accepted by the DNSOP WG. I believe the WG has heard your position: There has been no further discussion of these attacks since the two very small motivating attacks were discussed on NANOG some time ago. I don't see any evidence that there have been more than two such attacks. You don't see any evidence of attacks because you haven't read about them on NANOG [or various network forums that you do monitor] - duly noted, and comically ironic. The difference is that as a senior core member of NANOG, NANOG's disreputable activities reflect on you and discredit its surveys and reports. NANOG doesn't reflect the ISPs of North America, as shown by the 3000 or so members of ARIN versus the small number of core NANOG participants. This survey has nothing to do with NANOG, and it's not in any way supported or executed by NANOG. I'm not sure why you keep repeating this when I responded to your initial query as such: No, there's quite a wide distribution of responses, but mostly *OG types in various regions. I'm tempted to take your bait and take offense to your comments above, but instead, will get back doing something productive as my points have been made. Done wasting bandwidth on this discussion here, -danny ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] trolls (Re: Reflectors are Evil was Re: Anycast was Re: Cache)
[EMAIL PROTECTED] (Danny McPherson) writes: Dean, I'm not going to argue this point by point with you, ... how long is this community going to let a single person dominate its agenda? i'm using kill-by-thread on dnsop now. i have no idea how much i'm missing of what's being posted, but what i really fear is what i'm missing by how much is not being posted, because so many others have also been driven into similar kill-by-thread exhaustion by the endless back and forth on the same small web of interwoven topics by the same four or five people who just can't bear to let foolish or silly or factually wrong statements go unchallenged. an early and elementrary usenet discovery, back the low to mid 1980's, was that some people will not change their views no matter what's said to them, in fact they aren't really hoping for that, all they look for in replies to their articles are hooks on which to hang a renewed restatement of whatever they said before. it is itinerant on all of us to not fall into the trap of needing to set the record straight on a daily basis. some things we don't agree with can be left unchallenged, it won't affect the lense of history nor the views of the silent majority of fence sitters watching the back forth. show some willpower, folks, please. -- Paul Vixie ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] trolls (Re: Reflectors are Evil was Re: Anycast was Re: Cache)
the un-answered argument wins only if it's never answered. that would cross the line. answering it every day for the rest of all of our lives crosses the other line. (not responding publically to the personal parts of what bill said to me.) ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] trolls (Re: Reflectors are Evil was Re: Anycast was Re: Cache)
Paul Vixie wrote: [EMAIL PROTECTED] (Danny McPherson) writes: Dean, I'm not going to argue this point by point with you, ... how long is this community going to let a single person dominate its agenda? +1 The benefit of an open process is its ability to obtain unexpected input that is useful. The detriment is that it places an additional burden on everyone to filter out the noise. Failure to do that adds more noise. d/ ps. My own model is to wait to see postings of support from others. Without supporting posts, there is... no support. So whatever is being put forward has failed to gain traction and failed to be worth worrying about. -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
