[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Install DNS mappings based on TLS/IPsec?

Joe and all,

  It would seem that following what is more and and more recognized
in the commercial world that a need to do better with Bind and the
latest version being more broadly implemented would be more helpful.
See:

    0. http://www.defcon.org/html/defcon-12/dc-12-index.html
    1. http://www.defcon.org/html/defcon-12/dc-12-speakers.html#kaminsky
    2. http://news.com.com/2100-1002_3-5291874.html?tag=nefd.top



Joe Touch wrote:

> Iljitsch van Beijnum wrote:
>
> > On 4-jul-04, at 10:43, Brian E Carpenter wrote:
> >
> >> Are you suggesting that the multi6 solution should have a strict
> >> dependency on using TLS or IPSEC?
> >
> >
> > Certainly not. I'm saying two things:
> >
> > - if the DNS doesn't work, discover information that would normally be
> > in the DNS through the TLS or IKE negotiation, and
>
> Sorry for the late addition to the thread, but the use of the DNS for
> forward and reverse lookups is often to provide confirmation of identity.
>
> To that end, DNSSEC is useful, by removing the assumption of trust with
> true trust. The presumption in either case is that if the DNS tree
> verifies fwd/rev, then things are reasonable.
>
> IKE relies either on X.509 keys (a different hierarchy) or preshared
> secrets. At best, all this does is move the problem (DNSSEC certificate
> hierarchy -> X.509 certificate hierarchy); at worst, it exposes the
> endpoint to assuming identity when the pre-shared key could be open
> (compromised, or deliberate).
>
> I.e., it would be necessary (IMO) to limit this to identities exchanged
> by IKE/TLS based on CAs, not based on preshared keys. That may not be
> feasible.
>
> > - the DNS is often insecure, so let the TLS or IKE derived information
> > override it to increase security
>
> The more independent trust mechanisms there are the less trust that
> results, IMO.
>
> Joe
>
> > But if TLS/IPsec aren't used, the information is taken from the DNS.
> >
>
>   ------------------------------------------------------------------------
>
>                           Name: signature.asc
>    signature.asc          Type: application/pgp-signature
>                    Description: OpenPGP digital signature

Regards,
--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Be precise in the use of words and expect precision from others" -
    Pierre Abelard

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS. div. of Information Network Eng.  INEG. INC.
E-Mail jwkckid1@ix.netcom.com
 Registered Email addr with the USPS
Contact Number: 214-244-4827