[governance] A Survey of DNS Security

Robert Guerra rguerra at lists.privaterra.org
Mon May 1 08:11:49 EDT 2006


Thanks for the reply :)

Latest message on the IP list seems to confirm your comments. I'm
including it below as I don't know who on the governance list is also



On 1-May-06, at 12:08 AM, McTim wrote:
morning Robert,

On 5/1/06, Robert Guerra <rguerra at lists.privaterra.org> wrote:
A reference to this message just appeared on Dave Farber's IP list.

Yes, it has caused a bit of a splash, which is too bad, since it is
mostly handwaving.

-------- Original Message --------
Subject: [IP] more on   Big holes in net's heart revealed
Date: Mon, 1 May 2006 07:21:50 -0400
From: David Farber <dave at farber.net>
Reply-To: dave at farber.net
To: ip at v2.listbox.com
References: <200605011017.k41AHlpK002555 at bartok.nlnetlabs.nl>

Begin forwarded message:

From: Jaap Akkerhuis <jaap at NLnetLabs.nl>
Date: May 1, 2006 6:17:47 AM EDT
To: Carl Malamud <carl at media.org>
Cc: dave at farber.net
Subject: Re: [IP] Big holes in net's heart revealed

Being in the talk I might to comment that it was all more a sales talk
for a Distributed Hash Table based alternative (which has it's own
problems). There was a lot of FUD presented.

> Hi Dave -
> Here is their paper in case anybody wants to read the details:
> http://www.cs.cornell.edu/People/egs/papers/dnssurvey.pdf
> A simple takeaway ... upgrade your nameserver.  There is no excuse
> to be running 5-year old versions of software on a machine that
> provides critical infrastructure.
> Carl
>> Something "well known" but not advertised till now. djf

It is advertised all the time in various place. Warnings about
outdated software gets ignored all the time. Surveys have been done
showing how many broken servers are still in production, but nobody
seems to listen, especially people running those servers.

To Quote Mans Nilsson from the RIPE dns-wg mailing list:

    "Yes, we know.  Emin's work points out some of the far-gone
     of not paying attention. We are, however pretty convinced that:

     1. The mentioned examples are extremes. Most of the namespace is
        in considerably better order.
     2. DNS has historically been a neglected part of the quality
        control most web site operators perform. It simply is so
        and ubiquitous that it not is seen as a critical part.
     3. The ultimate fix for this is DNSSEC."

Emin said that DNSSEC wouldn't help.

And there are of course different styles of what is correct. The
zone farber.net has small problems depending who you ask
(http://www.zonecheck.fr/demo/ or http://dnsreport.com/). None of
these test tell you that the servers for this domain can be abused
for a dns amplification attacks (recursion enabled).



Archives at: http://www.interesting-people.org/archives/interesting-people/

governance mailing list
governance at lists.cpsr.org

More information about the Governance mailing list