[as112-ops] DNSSEC?
Paul Vixie
vixie at isc.org
Wed Jan 13 18:57:33 UTC 2010
in terms of information security, the big concern for RFC1918 PTR zones is
the information leaked in the updates or exposed in the queries. it's not
going to be common for someone to be using host based authentication (like
the old BSD .rhosts file) these days, other than on low value targets. if
someone is concerned about any of this then they can work to stop leaking
their RFC1918 PTR updates/lookups, which is what we want them to do anyway.
so, quite apart from the impracticality of getting a distributed project
like AS112 to do something like DNSSEC (with a shared signing key that is
somehow kept out of the hands of MiTM attackers), there's the fact that no
security problem in RFC1918 PTR zones that could be solved by DNSSEC isn't
better solved by folks just stopping their leaks in the first place.
More information about the as112-ops
mailing list