[dns-operations] [dns-wg] "DNS Vulnerabilities" paper hits the mainstream

Bill Larson wllarso at swcp.com
Mon May 1 00:15:10 UTC 2006 

On Apr 30, 2006, at 5:40 PM, Niall O'Reilly wrote:

> On 30 Apr 2006, at 20:02, Jim Reid wrote:
>> Niall O'Reilly said he posted something through the
>> "have your say" feature of the BBC web site.
>
> FYI, here's what I posted.
>
> Although the observations described at http://news.bbc.co.uk/1/hi/
> technology/4954208.stm
> are interesting and raise important issues, their relation to the
> conclusions made appears
> to be at best only tenuous. Internet experts are far from convinced
> of the rigour of Prof.
> Sirer's logic. It is disappointing to see BBC so ready to report just
> one side of a story.

I'm not disagreeing with anybody here, I'm not exactly sure what I 
personally believe at this time and I hope that this discussion helps 
me make up my mind.  But, I keep thinking back on an old security tool 
that I used to use and the implications of it's design on this issue.

Many years ago Dan Farmer wrote a tool to audit the security of a 
system called COPS.  This was built on the idea that the security of a 
system can be no greater than the security of it's weakest link.  How 
can the "security of the DNS system" be considered as any better than 
the security of the parent servers?  This is the basis for the CoDoNS 
investigation.

Using an example from the paper.  If the FBI has a delegated server 
that can be easily hijacked, then this would mean that a significant 
number of queries for information in the "fbi.gov" domain could be 
subverted with invalid info.  This is a security issue and it is not an 
issue under the direct control of the FBI (except for their decision to 
base their operation on a third party service).

Isn't this the same type of security issue evaluated with COPS?  Isn't 
this just an issue of cascading of trust?  Why should one situation be 
considered acceptable while another is unacceptable?

Please understand, I am not convinced that CoDoNS is any improvement to 
the existing DNS system.  I am still trying to develop my own informed 
opinion rather regurgitating than what Cornel or  the BBC says.

Bill Larson

More information about the dns-operations mailing list