The worst thing about the exploit -- Have you done your part?
Mark Elkins
mje at posix.co.za
Tue Jul 29 16:46:24 UTC 2008
On Tue, 2008-07-29 at 19:31 +1000, Mark Andrews wrote:
> > On Sat, 26 Jul 2008, Alan Clegg wrote:
> >
> > > Date: Sat, 26 Jul 2008 11:41:10 -0400
> > > From: Alan Clegg <Alan_Clegg at isc.org>
> > > To: Ben Croswell <ben.croswell at gmail.com>, DNS BIND <bind-users at isc.org>
> > > Subject: Re: The worst thing about the exploit -- Have you done your part?
> > >
> > > Ben Croswell wrote:
> > >> I also see a lot of people calling for DNSSEC to fix the underlying
> > >> issue, but unless I am mistaken DNSSEC won't fix the issue unless we
> > I got to ask the painfully obvious question... Why hasn't DNSSEC started
> > at the top? Why aren't the root servers supporting it?
>
> Layer 9 politics. Talk to your local member and ask then to request
> that the root gets signed.
> Com is waiting for NSEC3 support. BIND 9.6 will have NSEC3 support.
> NSEC3 removes the ability to enumerate the zone contents. It also
> reduces the size requirements when optout is in use making the size
> changes proportional to the number of secure delegations.
>
> Mark
> > Jeff Earickson
> > Colby College
If everyone was overnight running DNSSEC - we'd have a more secure DNS
system - but what applications actually use that knowledge?
I know there is (was? - can't seem to locate it just now) a firefox
extension to get it to show the status of a dns lookup (No dnssec,
dnssec and signed OK, dnssec with bad sig) and to show a status bar in
some appropriate colour - but what about all the other applications that
use DNS? I understand that Firefox will still use "bad" (Signed but
incorrect signature) DNS - kinda like the Padlock icon for secure web
pages - which Joe Public still ignores....
So what about all other apps that use DNS?
Don't they have to be 'fixed' too?
Should the application refuse to work if it encounters a bad DNSSEC signature?
(Any guesses as to when Bind 9.6 will appear?)
--
. . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready
/| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
More information about the bind-users
mailing list