NSEC3 salt lifetime (and some other DNSSEC params): sane value?
Kalman Feher
kalman.feher at melbourneit.com.au
Wed Sep 22 15:45:14 UTC 2010
On 22/09/10 11:29 AM, "Matus UHLAR - fantomas" <uhlar at fantomas.sk> wrote:
>>> I'll reply with a quote from the BIND& DNS book:
>>> It¹s the difference
>>> between letting random folks call your company¹s
>>> switchboard and ask
>>> for John Q. Cubicle¹s phone number [versus] sending
>>> them a copy of
>>> your corporate phone directory.
>> That is a poor analogy.
>imho it's perfect.
Analogies to specific issues are a poor idea. They abstract details that
should be considered and by trying to visualise the new example you
associate properties that don't exist within the original problem.
I could list differences but it would pander to the belief that somewhere
out there is the perfect non DNS example to a DNS problem.
Zone walking and its perceived risks should only be considered in light of
DNS knowledge, not boats, not phone switchboards or any other non DNS item.
Its fine to convey simple concepts using an analogy. But by using one for a
specific issue (on bind-users), you betray ignorance of the problem at hand
by relying on unrelated behaviours and properties to fill in the blanks for
you.
It is a poor analogy because so many of the properties of the original
problem (DNS software, zone walking software, publically available RRs)
simply do not behave in ways even vaguely similar to a human answering a
phone.
If you think zone walking prevention (such as it is) makes you more secure.
I say prove it. Show me something measureable. Show me how you can protect a
publically available resource by preventing zone walking (which isn't
preventable by the way). After that, feel free to tell me how a phone
switchboard would implement the same solution.
--
Kal Feher
More information about the bind-users
mailing list