[4374] in cryptography@c2.net mail archive
Re: bind with DNSSEC finally released
daemon@ATHENA.MIT.EDU (Donald E. Eastlake 3rd)
Tue Mar 23 13:14:14 1999
To: Derek Atkins <warlord@MIT.EDU>
Cc: cypherpunks@algebra.com, cryptography@c2.net
In-reply-to: Your message of "22 Mar 1999 15:23:16 EST."
<sjmiubtgtor.fsf@datkins.ihtfp.org>
Date: Tue, 23 Mar 1999 01:18:19 -0500
From: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
Why didn't you just do a type=ANY query to "." and find out?
The answer is, of course not. The root servers are somewhat sensitive
and currently there are 13 of them because that is the maximum number
you can have without overflowing DNS UDP and requiring the much higher
number of packets needed for a DNS TCP retrieval. Exactly how this is
going to play out is not clear. The EDNS0 extension allows larger UDP
which could accomodate root level KEY and SIG RRs and EDNS0 is being
pushed through but just now fast it will be deployed is not clear.
Still, I claim every step improves DNS security. There are all kinds
of interim possibilities such as resolvers installing an "NSI" key for
a while that authenticates everything in .com, .net, .org, and .edu...
There was a DNS Operations BoF at the last IETF and some of this may
be addressed by any resulting working group.
Thanks,
Donald
From: Derek Atkins <warlord@MIT.EDU>
To: Lucky Green <shamrock@netcom.com>
Cc: cypherpunks@algebra.com, cryptography@c2.net
References: <002c01be7277$c02557a0$0200a8c0@cypherpunks.to>
Date: 22 Mar 1999 15:23:16 -0500
In-Reply-To: Lucky Green's message of Fri, 19 Mar 1999 18:16:56 -0800
Message-Id: <sjmiubtgtor.fsf@datkins.ihtfp.org>
>Having Bind 8.2 is only the first step. Are the root servers actually
>supplying valid KEY and SIG RRs for the TLDs?
>
>-derek
>
>Lucky Green <shamrock@netcom.com> writes:
>
>>
>> Seems bind 8.2 with the long-awaited secure DNS fully integrated has finally
>> been released. Say goodbye to DNS spoofing. Since the included crypto is
>> meant to be used for authentication only and the licensing agreement
>> prohibits the use of the said crypto for non-authentication purposes, the
>> distribution is freely exportable. :-)
>>
>> Install bind 8.2 on your DNS server today and permanently fix one of the
>> largest and longest-standing security holes on the Internet.
>>
>> ftp://ftp.isc.org/isc/bind/src/8.2/
>>
>> --Lucky Green <shamrock@netcom.com>
>> PGP 5.x encrypted email preferred
>>
>>
>
>--
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH
> warlord@MIT.EDU PGP key available
>
