[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IESG feedback on dnsext-ad-is-secure

To: namedroppers@ops.ietf.org
Subject: Re: IESG feedback on dnsext-ad-is-secure
From: Robert Elz <kre@munnari.OZ.AU>
Date: Sat, 15 Jun 2002 00:46:13 +0700
In-reply-to: <a05111b03b92fd44c9c9c@[192.149.252.173]>
References: <a05111b03b92fd44c9c9c@[192.149.252.173]> <81C11FBB-7FB7-11D6-9A23-00039367340A@nominum.com>

    Date:        Fri, 14 Jun 2002 13:20:51 -0400
    From:        Edward Lewis <edlewis@arin.net>
    Message-ID:  <a05111b03b92fd44c9c9c@[192.149.252.173]>

  | One group won't care, the other will check themselves.

This translates into "if you aren't able to check, then you're
not allowed to care".

Certainly from a pure security viewpoint, where all that matters is
perfect validation, that's not unreasonable.

But almost no-one needs that - remember that all security is a trade
off between the costs, and the benefits (as is almost everything else).

It is perfectly acceptable for people (hosts, ...) to agree to
permit some increased risk, in return for some lower cost.  That's
a tradeoff that everyone has to be permitted to make - and it is
not acceptable to simply write off anyone unable to get absolute
proof of correctness (nor to relegate them to "anything goes").

Eg: for many systems, simply trusting what the local resolver says
(without requiring it to be on the same net, and probably without
any special security measures) will be just fine.   If that resolver
has given me false information, then I know who to go and blame.
That, or the answer has been spoofed, and if my net is even half way
reasonably protected, I can usually limit the source of that spoofing
to somewhere local (filtering inbound source addresses, etc).
So, if there's spoofing, it is coming from somewhere local, and
whoever is responsible, either for spoofing, or leaving a system
open enough to allow it to be taken over, can be deal with.

Similarly, if the DHCP server gives me a bogus address as to where
I should query for my DNS answers.

For many users, that level of security is all that is required.
Don't demand that everyone have provably correct security, just
because you have been focused on that kind of issue (perhaps for
others who do need it) for so long, that everything else seems
hopeless.

By all means make sure the mechanisms are in place to allow good
security for those who need it - but don't then simply ignore everything
which isn't necessary in that perfect world.

kre

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: IESG feedback on dnsext-ad-is-secure
  - From: Edward Lewis <edlewis@arin.net>
- Re: IESG feedback on dnsext-ad-is-secure
  - From: Ted Lemon <Ted.Lemon@nominum.com>

Prev by Date: Re: IESG feedback on dnsext-ad-is-secure
Next by Date: Re: IESG feedback on dnsext-ad-is-secure
Previous by thread: Re: IESG feedback on dnsext-ad-is-secure
Next by thread: Re: IESG feedback on dnsext-ad-is-secure
Index(es):
- Date
- Thread