<<<
Chronological Index
>>> <<<
Thread Index
>>>
[ga] Re: Someone responded to: Not a Guessing Game
- To: "info@xxxxxxxxxxxx" <info@xxxxxxxxxxxx>
- Subject: [ga] Re: Someone responded to: Not a Guessing Game
- From: "Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>
- Date: Wed, 16 Jul 2008 03:16:03 -0700
David,
Thanks for your comments. I wasn't aware that ICANN nor the
IANA were pushing for DNSSEC. Whom seems to be the
originator of the resistance to doing so, and why in your opinion?
Is possibly resistance from the GAC or DOC/NTIA?
As it has been known amongst many security professionals like
myself of the holes in DNS for quite a few years, and now that
Dan has taken that public much to the shigrin to Paul, and a few
others whom are IMO far too worried about public image rather
than getting the job done, why now all the sudden effectively, has
it become a priority? My guess is that the many legal cases that
have been dismissed, and damaged individuals as a result of
DNS security holes accordingly along with many compaining to
CERT, USDOJ, states Atty. Generals, ect., have made addressing
same politically necessary. This set of reasons, although understandable,
in no way justifies them as means to an end that could and would have
been fixed years ago. For me anyway, political reasons to address
a known technical problem are utterly rediculous in the extream...
Regards,
Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
Abraham Lincoln
"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt
"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng. INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827
info@xxxxxxxxxxxx wrote:
> New comment posted to the following discussion at CircleID:
>
> Not a Guessing Game
>
> Comment by David Conrad
> http://www.circleid.com/posts/87143_dns_not_a_guessing_game/#4240
>
> <i>that demo is of technology, not political will, and is therefore
> somewhat off-topic.</i>
>
> One of the points of the demo was to indicate IANA was undertaking to be in
> a position to sign the root, even at non-trivial cost (you think multiple
> FIPS 140-3 hardware security modules come free?). I'm not sure how that
> cannot be a demonstration of political will on the part of ICANN to see
> that the root gets signed, but it is actually irrelevant. Even if the root
> were signed today, it would be essentially meaningless to address this
> particular vulnerability in the foreseeable future since:
>
> a) last I checked, a total of 4 TLDs are currently signed (SE, PR, BR, and
> BG);
> b) infinitesimally few caching servers are configured to validate responses
> and a goodly portion of the caching servers that people use either do not
> now support DNSSEC (e.g., Microsoft's DNS server, PowerDNS, OpenDNS, etc.)
> or will never (according to the author) support DNSSEC (e.g., djbdns);
> c) even if every zone on the planet were signed and trust anchors were
> appropriately configured and maintained, the mechanisms by which validation
> failure is returned to the end user is indistinguishable from a variety of
> network problems for the vast majority of applications. As a result, an ISP
> turning DNSSEC on will likely be subject to a flood of expensive support
> calls, greatly encouraging that ISP to turn DNSSEC off.
>
> That is not to say that I wish to discourage you from tilting at that
> particular windmill (after all, any journey starts with a single step and
> all of the above can be fixed with sufficient effort), but there is a
> <b>lot</b> more to seeing DNSSEC usefully deployed than "signing the
> root". Further, as you well know, the shorthand "sign the root" means
> quite a bit more than running dnssec-signzone over the root zone data and
> it is simply silly to assume ICANN is or even should be in a position to
> undertake the steps to "sign the root" unilaterally.
>
> <i>What I do know is that if ICANN and USG had the political will to make
> this happen, it would happen.</i>
>
> While I know in some circles it is considered a fun sport to bash ICANN,
> asserting ICANN doesn't have the political will to see the root signed is
> both wrong as well as somewhat insulting to the folks at IANA and ICANN who
> have spent considerable amount of time, resources, and energy to see forward
> motion.
>
> ___________________________________________________________________
> You have subscribed to receive email alerts for new postings to this
> discussion.
>
> To stop receiving notifications for this post, click link below:
> http://www.circleid.com/?ACT=2&id=4225
Regards,
Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
Abraham Lincoln
"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt
"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng. INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|