<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [ga] Re: Registries & Security Safeguards
- To: Stephane Bortzmeyer <bortzmeyer@xxxxxx>, Danny Younger <dannyyounger@xxxxxxxxx>
- Subject: Re: [ga] Re: Registries & Security Safeguards
- From: Hugh Dierker <hdierker2204@xxxxxxxxx>
- Date: Fri, 15 Sep 2006 06:29:38 -0700 (PDT)
- Cc: ga@xxxxxxxxxxxxxx
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=bNIFWtvyKo/XF2ZliKQNEkLdWHnADNi+xt3wcwIQeLKpa0Uy4AC4Y6AsDANR0rfzTUPTbIBfMcZPh+dZOchEi4b4+V5gya8IIzSA8wway8jyFtC7T1PJ3UwmdZp6qBoaaJmbjDPchd4OIGKz40MCG7hpjH8+NygnuLvbJLYDkAQ= ;
- In-reply-to: <20060915084151.GA32364@nic.fr>
- Sender: owner-ga@xxxxxxxxxxxxxx
Excellent evaluation here Stephanie,
In security we often ask, and indeed start from, the question "is nothing better than half assed?". Usually the answer is yes. If you are going to provide security and tell the whole world how you are going to do it, you might as well not do it.
e
Stephane Bortzmeyer <bortzmeyer@xxxxxx> wrote:
On Thu, Sep 14, 2006 at 11:41:49AM -0700,
Danny Younger wrote
a message of 25 lines which said:
> "An expert
I may question the word "expert", regarding that document. There is a
lot of FUD, and few technical details (and mostly wrong).
> report released today concluded that in proposals for the .com,
> .biz, .info and .org registries, the Internet Corporation for
> Assigned Names and Numbers (ICANN) has failed to ensure adequate
> security safeguards."
Well, most readers of that list will be happy to learn that the DNS is
at risk because ICANN takes "bottom-up representation" *too* seriously
:-)
> The report, written by leading security technology expert Jerry
> Archer
Sic
> entitled "DNS -- A System in Crisis" recommends that oversight,
> planning and testing provisions be implemented in the proposals to
> run these registries before they are finalized.
Basically, it suggests to move ICANN to a sort of security agency,
exercizing a very close and detailed monitoring of registries. I do
not even know if the US FAA monitors the airline companies as closely
as the "expert" would like the ICANN to monitor the registries
(including "on-site inspections").
Some stupid technical mistakes (the author seems to be very far from
DNS server management):
1) "ICANN has failed to develop competition or otherwise drive
diversity into DNS development, creating a monolithic DNS subject to
systemic attacks. DNS software is generally some version of
BIND. VeriSign is the notable exception, having developed its ATLAS
system in 2002."
[What, nsd or ANS do not exist? The "expert" does not even know that
Atlas is derived from BIND.]
2) Absolutely no mention of anycast (even when talking about the 2002
attack on the root name servers, which triggered its massive
deployment).
---------------------------------
Want to be your own boss? Learn how on Yahoo! Small Business.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|