[dns-operations] Kaminsky: Protect IP Act Would Break DNS

Mark Andrews marka at isc.org
Mon Jul 18 00:31:13 UTC 2011 

In message <8014C63D-276E-4694-8119-D67FF817E6EB at virtualized.org>, David Conrad
 writes:
> On Jul 17, 2011, at 2:57 AM, Dobbins, Roland wrote:
> > On Jul 17, 2011, at 7:08 PM, Joe Greco wrote:
> >> That's like saying we lack hard data about climate change.
> > 
> > Beyond knowing that the climate 'changes' four times a year, we do in fact 
> lack any hard data which can be relied upon in even the most cavalier fashion
>  in this arena, so this might not be the best analogy to make.
> 
> If you're arguing that folks will ignore data that disagrees with their ideol
> ogical stance, I'd unfortunately have to agree. 
> 
> However, in the context of this thread, data on DNS behavior is somewhat limi
> ted.  What we do have suggests to me that an increase in the diversity of que
> ry sources and number of queriers would get lost in the vast tracts of crap t
> hat already gets thrown at authoritative servers. 
> 
> Unfortunately, as someone who for a time ran a local (validating) caching res
> olver on my laptop, operational reality is that turns out to be a pain.  Ther
> e are too many stupid middleboxes and ISPs (T-Mobile Hotspot, I'm looking at 
> you) that block port 53, particularly on user validation.  For example, every
>  time I was at LAX, I'd have to switch my resolv.conf to use T-Mobile's DNS s
> ervers so I could connect to a web page to authenticate myself.  If I didn't,
>  I'd get DNS lookup failures in my web browser.  Quite annoying.

Which is something that is fixable with time by giving then better solutions
than what they are currently doing.
* DHCP option pointing to a authentication page using IP literals.
* 802.11x
 
The really hard part is the so-called "transparent" dns caches which
are anything but transparent.

> Given ISPs now monetize port 53, I have some skepticism this will get better.

Even they tend to leave along DNS going to other servers.
 
> Regards,
> -drc
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list