[dns-operations] Interesting messages in our logs
Phillip Hallam-Baker
phill at hallambaker.com
Sat Nov 1 20:27:53 UTC 2014
On Sat, Nov 1, 2014 at 4:15 PM, Paul Vixie <paul at redbarn.org> wrote:
> Phillip Hallam-Baker <phill at hallambaker.com>
> Saturday, November 01, 2014 1:08 PM
>
> ...
>
> One of the concerns I have about approaches to DPRIVE is that they tend to
> start from the DNS specification and add security to that model rather than
> look at real world implementations.
>
> ...
>
>
> i've briefly advised the dns-privacy@ group to avoid opacity as a goal.
> dns's control and data planes are intermixed, and any attempt to reduce the
> forwarding/recursion/caching layer to zero knowledge will be an even larger
> task than creating DNS in the first place and then tuning and tweaking it
> for the last ~25 years. we'll see what happens.
>
One of the most common failure modes in security designs is the mistaken
belief that there is only one security concern.
The thing is that almost every security problem is quite easily solved if
that is the only problem that is recognized. Hence my concern about a
charter that only talks about one problem.
The NSA is the cause du jour. But they are only one intelligence agency and
surveillance is only one of the potential harms people face on the net.
Russian hacker gangs trying to steal people's money or encrypt their data
and hold the keys for ransom are rather more commonly exercised threats.
Curated DNS is potentially a tool that can be used to provide protection.
But as with any sort of anti-virus there is a privacy consequence and the
introduction of a trusted third party with potentially serious intrusive
capabilities.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141101/d84f9a69/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141101/d84f9a69/attachment.jpg>
More information about the dns-operations
mailing list