Re: [ga] Re: [Gnso-liaison] DNS Server Survey Reveals Mixed Security Picture

[jwkckid1@xxxxxxxxxxxxx]

Peter and all,

  Indeed what you suggest is one senerio.  But hardly the
only senerio.  Such will depend on how DNSSEC is used
and implimented.

-----Original Message-----
>From: Peter Dambier <peter@xxxxxxxxxxxxxxxx>
>Sent: Nov 22, 2007 4:11 AM
>To: ga@xxxxxxxxxxxxxx, gnso-liaison@xxxxxxxxxxxxxxxxxxxxxxx
>Subject: [ga] Re: [Gnso-liaison] DNS Server Survey Reveals Mixed Security 
>Picture
>
>
>I am afraid DNS security is just a means to introduce censorship into DNS.
>
>Gouvernements and ISPs used to tweak their resolvers to tell you
>they were google.com or c*ildpo*n.com depending on the continent
>they were living.
>
>Now somebody else wants to force control from the root down to
>the resolvers so only a single point in the DNS tree has control
>to introduce censoring wherever he likes. We no longer have a
>centralised but delegated DNS, now we have a single point of failure.
>
>Alternative DNS would be impossible with DNS security.
>
>What is it good for?
>
>
>Windows is known to have the only DNS resolver that does even
>cache used horseshoes thrown at it. E.g. you can use NetBIOS
>packets to override DNS.
>
>
>Bind 8 has replaced Bind 4.
>Bind 9 has replaced Bind 8.
>
>There are still security relevant patches in Bind.
>
>
>I have never seen a security relevant patch for djbdns.
>djbdns is a old as Bind 4.
>djbdns does not even use DNS security and still you
>never could cachepoison djbdns.
>
>
>Mostly you get a NAT-router between your windows box
>and the internet. Those Nat-routers can cook tea and boil eggs.
>E.g. they have builtin DNS resolvers that are fast but even
>more dangerous than windows DNS.
>
>I have never seen a NAT-router of the SoHo family that knows
>about DNS security. Neither does windows.
>
>
>So it is only people with a networkmanager who care about
>DNS security. Those people could run djbdns just as easyly
>and would really be secure without waiting for the next plus one
>issue of DNS security.
>
>
>Kind regards
>Peter and Karin Dambier
>
>
>jwkckid1@xxxxxxxxxxxxx wrote:
>> All,
>> 
>>   It appears that others in the security business are
>> also very concerned about DNS security or the increasing
>> lack there of.
>> 
>> The word on the latest annual survey of the state of DNS on the Net. 
>> The survey, commissioned by infrastructure appliance vendor Infoblox, 
>> found that the use of Windows DNS Server in Internet-facing 
>> applications has fallen off dramatically as more users act on 
>> concerns about security. BIND 9, the latest version, gained against 
>> earlier, less secure versions. But in other dimensions, DNS practices 
>> showed little improvement from a security point of view. Hardly
>> anyone is using DNSSEC; and 31% of nameservers allow promiscuous zone
>> transfers, a number little changed from last year. Here's a video
>> http://www.techworld.com/video/popupCricketVideo.cfm of an
>> interview with Infoblox's chief architect Cricket Liu on the state of
>> DNS.
>> 
>> Other links:
>>      http://www.techworld.com/networking/news/index.cfm?newsid=10690
>>      http://dns.measurement-factory.com/surveys/200710.html
>>      
>> Regards,
>> 
>> Jeffrey A. Williams
>> Spokesman for INEGroup LLA. - (Over 277k members/stakeholders strong!)
>> "Obedience of the law is the greatest freedom" -
>>    Abraham Lincoln
>> 
>> "Credit should go with the performance of duty and not with what is very
>> often the accident of glory" - Theodore Roosevelt
>> 
>> "If the probability be called P; the injury, L; and the burden, B; liability
>> depends upon whether B is less than L multiplied by
>> P: i.e., whether B is less than PL."
>> United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
>> ===============================================================
>> Updated 1/26/04
>> ABA member in good standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx
>> Phone: 214-244-4827
>> 
>> 
>> _______________________________________________
>> Gnso-liaison mailing list
>> Gnso-liaison@xxxxxxxxxxxxxxxxxxxxxxx
>> http://atlarge-lists.icann.org/mailman/listinfo/gnso-liaison_atlarge-lists.icann.org
>> 
>
>
>-- 
>Peter and Karin Dambier
>Cesidian Root - Radice Cesidiana
>Rimbacher Strasse 16
>D-69509 Moerlenbach-Bonsweiher
>+49(6209)795-816 (Telekom)
>+49(6252)750-308 (VoIP: sipgate.de)
>mail: peter@xxxxxxxxxxxxxxxx
>mail: peter@xxxxxxxxxxxx.pirates
>http://www.cesidianroot.com/
>http://iason.site.voila.fr/
>https://sourceforge.net/projects/iason/
Regards,

Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 277k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
ABA member in good standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx
Phone: 214-244-4827