[prev in list] [next in list] [prev in thread] [next in thread] 

List:       namedroppers
Subject:    Re: zones w/ downs syndrom
From:       Kevin Darcy <kcd () daimlerchrysler ! com>
Date:       2000-08-09 0:34:02
[Download RAW message or body]

Terry Lambert wrote:

> Kevin Darcy wrote:
> > Terry,
> >            I don't see that every new feature of DNS needs
> > to enhance security.
>
> Me neither; however, I do see that it needs to not damage it.
>
> Don't get me wrong.  I am the person who brought this up as
> an issue for me, since I didn't like having an out-of-band
> interface to support.
>
> > The point of allowing dynamic zone creation is not to
> > enhance security, but to provide convenience and productivity
> > for administrators.  It is sufficient, is it not? that it not
> > *harm* security. I don't see that it does.
>
> The problem is the creation of zones in slaves.
>
> The main arguments are that this is an operational issue,
> since the creation of zones over the wire is not specified
> as part of the protocol; my argument in the original
> discussions was that _it should be_, and that _the purpose
> of the wire protocol is to do all operations which can be
> dones to a DNS server_.  This makes it a protocol, not an
> operational issue.

I'd love to see a protocol for DNS server configuration as well, and
obviously I'd want it to be secure. But are there any drafts, any
designs, any prototypes for such a thing? Allowing dynamic zone creation
on masters is something that pays off in the near term. I don't see why
a concrete near-term gain should be held hostage to a mere idea or a
promise of better things to come.

> The problem with slaves is that you would permit arbitrary
> data to be enteres into slaves by outside parties by doing
> poisining or spoofing of masters, either of which is
> unacceptable.

Yes, this is a design challenge of the new protocol. Obviously a way
would need to be found to prevent abuses.

> > The security of the Dynamic Updates themselves is, we
> > agree, not the issue, and as for the security of
> > initiating master/slave relationships, people can just
> > keep on using the same presumably-secure out-of-band
> > mechanisms for this as they are using today -- the fact
> > that the zone was created dynamically doesn't impact this
> > much one way or the other. What *new* security challenge
> > does dynamic zone-creation raise?
>
> Primarily, the problem is that the OOB mechanism exists
> now.  People just don't like it, because it doesn't use
> the DNS protocol.

Well, actually, my slaves *do* use the DNS protocol to determine what
zones to start slaving or stop slaving: every night they treewalk-query
their way through our internal-root namespace, checking delegations. So,
technically, I'm not even using an OOB mechanism, yet my slaves always
slave the zones I want them to. Perhaps then you can appreciate why your
angst about OOB mechanisms doesn't carry much weight with me. The lack
of dynamic zone creation is a *much* bigger deal in my particular neck
of the woods. I want to move *all* zone maintenance to secured Dynamic
Update, but there's this annoying little SOA exception...

Even in environments where the tree-walking part of the above approach
is not practical, e.g. in exceptionally large namespaces like the
Internet DNS, I expect one could use the receipt of a new SOA NOTIFY to
trigger a delegation-check and possible subsequent slave zone creation.
For added security, change the NOTIFY spec to allow them to be signed --
only a minor extension and probably overdue anyway.

> > P.S. Of course I have searched the archives for these
> > alleged discussions, every which way I could think of.
> > They seem to be missing from the archives, or at least
> > are very well hidden. Pointers or suggestions as to
> > their whereabouts would be greatly appreciated.
>
> The current mailing list is "namedroppers@internic.net",
> which is the old address.  You should look in the
> archives of the current list, which is actually named
> "namedroppers@ops.ietf.org", so you are probably looking
> at the wrong archives (which also explains why this
> thread is not being filtered to the correct mailbox by
> my MUA).

Those are list, i.e. mail addresses, but according to
http://www.ietf.org/html.charters/dnsext-charter.html , the
archive location for the WG is ftp://ops.ietf.org/pub/lists. From that
source, I've been able to download namedroppers archives stretching
more-or-less continuously from the present day back to the 80's, yet
I can't find the discussions to which you refer using any of the search
terms I've tried -- many of them. I also checked the dnssec archives: no
success. Any other ideas?


-Kevin




to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

[prev in list] [next in list] [prev in thread] [next in thread]