[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[6bone] Request: two 6bone pTLAs

On 15-mei-04, at 1:19, Paul Jakma wrote:

>> Are you afraid people are going to run malicious DNS resolvers?

>> That's an interesting problem. However, note that any ISP already
>> gets to do this and much worse.

> No, a public recursive DNS service would be very susceptible to DNS
> poison attacks, both the easy attack by handing out deliberately
> poisoned additional info on unrelated queries

Why would this be a problem for WKA resolvers more than for any other 
resolvers, and:

> (though BIND no longer
> accepts unrelated additional info, so not a huge problem, AFAIK),


> I'm not a DNS expert, I strongly suggest you seek advice on the risks
> of public recursive service from someone who is. (esp as you seek to
> investigate making such service global infrastructure).

No need. You are at the mercy of the person running the resolver for 
anything that doesn't use strong authentication (such as SSL, IPsec and 
SSH, if used correctly).

But then, regardless of the faint outcries of people who chose to be 
"security experts", this is pretty much a fact of life for most types 
of communication. If you want to be absolutely secure, you're going to 
have to expended a lot of time and money into that and be prepared to 
give up lots of stuff that can't be made secure (either inherently or 
in practice).

[Use WKA resolvers only privately]

>> So what exactly would be the purpose of having them?

> They still can be. Each ISP, or other organisation controlling a
> network, can route the WKA to an appropriate DNS server. Exact same
> as with 6to4, the address is global, but site dependent.

6to4 is a perfect example of what I want to do with WKA DNS resolvers: 
there are some people who run a global service (which you apparently 
didn't notice) but people also get to install their own private relays 
if they so choose. (That's for the part from the regular IPv6 internet 
towards 6to4 addresses, the other way around fully depends on public 
relays or non-well known ones.)

>> An alternative to globally reachable WKAs would be site-local WKAs.

> Site local's are deprecated arent they?

Don't you watch horror movies? The monster always comes back after 
being killed the first time.  :-)