Re: DNSSEC HW Support
On Mar 16, 2010, at 11:39 AM, Niobos wrote: On 2010-03-16 15:57, prock...@yahoo.com wrote: I'm trying to figure out how many tests I need to run for an individual product (layer 2, 3, 4, and 7) before I can say it is completely DNSSEC compliant. By definition, any layer 2, 3 and 4 product is DNSSEC-agnostic: Well, yes, kinda. Unfortunately there are a large number of things like firewalls and consumer CPE that folks think of as layer 3/4 devices, but that do silly things like assume DNS is only UDP, or max out at 512 bytes or force DNS proxy mode. While we could argue for hours abut whether they are really only l3/l4 devices, it wouldn't change the fact that folks think of them as "routers". ICANN SSAC / CORE released a report a while back: http://www.icann.org/en/committees/security/sac035.pdf and I know that I have seen a bunch of other more recent tests. W DNS with or without SEC-extension is considered payload. If a L2,3 or 4 devices does work with DNS and doesn't work with DNSSEC, it's broken and needs replacement. For completeness: switches and routers are layer 2 and 3 respectively. Layer 7 devices might be affected, since they may preform extensive checking on the DNS-content itself. To answer your question: 0 tests for layer 2, 3 and 4. To be "completely compliant", you'd need to run an infinite number of tests for layer 7 devices. I'd test the different algorithms, including some very recent (RSASHA512) and different security statuses (bogus, insecure, secure). Niobos ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- "Beware that the most effective way for someone to decrypt your data may be with rubber hose." --- SSH 1.2.12 README ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC HW Support
On 2010-03-16 15:57, prock...@yahoo.com wrote: > I'm trying to figure out how many tests I need to run for an > individual product (layer 2, 3, 4, and 7) before I can say it is > completely DNSSEC compliant. By definition, any layer 2, 3 and 4 product is DNSSEC-agnostic: DNS with or without SEC-extension is considered payload. If a L2,3 or 4 devices does work with DNS and doesn't work with DNSSEC, it's broken and needs replacement. For completeness: switches and routers are layer 2 and 3 respectively. Layer 7 devices might be affected, since they may preform extensive checking on the DNS-content itself. To answer your question: 0 tests for layer 2, 3 and 4. To be "completely compliant", you'd need to run an infinite number of tests for layer 7 devices. I'd test the different algorithms, including some very recent (RSASHA512) and different security statuses (bogus, insecure, secure). Niobos ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC HW Support
> > I'd like to get your feedback on > the following thoughts regarding DNSSEC HW support. > > > > Any layer 2 or 3 devices forwarding frames or packets > should not be affected by the implementation of DNSSEC > regardless of the type of protocol (TCP/UDP) or the query > size (large or small). > > > > Layer 4 devices (smart switches) should not be > affected by the implementation of DNSSEC using the same > logic. > > > > My thoughts are these products simply forward data > based on an frame, IP address, or protocol and should not be > affected by the implementation of DNSSEC. Would you > agree? > > > > Thanks in advance. > > > > I think you are basically correct except for one very > important caveat: > > DNS BGP anycasting (in wide spread use by many large > operations,) where you might need to sign zones on the fly > with special crypto hardware. So if I'm testing a router for DNSSEC compliance, you'd recommend I run a test using RIP or OSPF, then a separate test for BGP. Is that correct? I'm trying to figure out how many tests I need to run for an individual product (layer 2, 3, 4, and 7) before I can say it is completely DNSSEC compliant. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC HW Support
I'd like to get your feedback on the following thoughts regarding DNSSEC HW support. Any layer 2 or 3 devices forwarding frames or packets should not be affected by the implementation of DNSSEC regardless of the type of protocol (TCP/UDP) or the query size (large or small). Layer 4 devices (smart switches) should not be affected by the implementation of DNSSEC using the same logic. My thoughts are these products simply forward data based on an frame, IP address, or protocol and should not be affected by the implementation of DNSSEC. Would you agree? Thanks in advance. I think you are basically correct except for one very important caveat: DNS BGP anycasting (in wide spread use by many large operations,) where you might need to sign zones on the fly with special crypto hardware. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC HW Support
I'd like to get your feedback on the following thoughts regarding DNSSEC HW support. Any layer 2 or 3 devices forwarding frames or packets should not be affected by the implementation of DNSSEC regardless of the type of protocol (TCP/UDP) or the query size (large or small). Layer 4 devices (smart switches) should not be affected by the implementation of DNSSEC using the same logic. My thoughts are these products simply forward data based on an frame, IP address, or protocol and should not be affected by the implementation of DNSSEC. Would you agree? Thanks in advance. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users