[dns-operations] [dns-wg] "DNS Vulnerabilities" paper hits the mainstream
Bill Larson
wllarso at swcp.com
Mon May 1 00:15:10 UTC 2006
On Apr 30, 2006, at 5:40 PM, Niall O'Reilly wrote:
> On 30 Apr 2006, at 20:02, Jim Reid wrote:
>> Niall O'Reilly said he posted something through the
>> "have your say" feature of the BBC web site.
>
> FYI, here's what I posted.
>
> Although the observations described at http://news.bbc.co.uk/1/hi/
> technology/4954208.stm
> are interesting and raise important issues, their relation to the
> conclusions made appears
> to be at best only tenuous. Internet experts are far from convinced
> of the rigour of Prof.
> Sirer's logic. It is disappointing to see BBC so ready to report just
> one side of a story.
I'm not disagreeing with anybody here, I'm not exactly sure what I
personally believe at this time and I hope that this discussion helps
me make up my mind. But, I keep thinking back on an old security tool
that I used to use and the implications of it's design on this issue.
Many years ago Dan Farmer wrote a tool to audit the security of a
system called COPS. This was built on the idea that the security of a
system can be no greater than the security of it's weakest link. How
can the "security of the DNS system" be considered as any better than
the security of the parent servers? This is the basis for the CoDoNS
investigation.
Using an example from the paper. If the FBI has a delegated server
that can be easily hijacked, then this would mean that a significant
number of queries for information in the "fbi.gov" domain could be
subverted with invalid info. This is a security issue and it is not an
issue under the direct control of the FBI (except for their decision to
base their operation on a third party service).
Isn't this the same type of security issue evaluated with COPS? Isn't
this just an issue of cascading of trust? Why should one situation be
considered acceptable while another is unacceptable?
Please understand, I am not convinced that CoDoNS is any improvement to
the existing DNS system. I am still trying to develop my own informed
opinion rather regurgitating than what Cornel or the BBC says.
Bill Larson
More information about the dns-operations
mailing list