Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
Interesting, not unexpected.Interesting, not unexpected.Posted Feb 13, 2008 2:03 UTC (Wed) by gdt (subscriber, #6284)In reply to: Interesting, not unexpected. by jd Parent article: DNS Inventor Warns of Next Big Threat (Dark Reading)
Either it's flawed and needs reworking, or the admins are whinging and the major DNS brokers should impose it. It's all three. 1) The design is broken. Implementing DNSSEC allows all DNS names in a zone to be ennumerated. 2) Admins are hopeless. Most can't even implement a non-open DNS forwarder correctly. DNSSEC is well beyond their knowledge. 3) Firms which have won major DNS maintenance contracts don't wish to incur the additional development and running costs of DNSSEC as they currently see no benefit. All of these can be fixed. (1) by reserving the top-level zone of a delegation (ie: *.example.com) for only publicly-known hosts and using a DNSSEC zone with a different key for private hosts (ie: intranet.*.example.com) or no DNSSEC at all where the DNS name does not matter (*.dhcp.example.com). (2) by training. (3) by politics.
(Log in to post comments)
Interesting, not unexpected. Posted Feb 13, 2008 12:50 UTC (Wed) by admcd (subscriber, #5415) [Link] (1) is also being addressed with the development of NSEC3 records (currently awaiting publication as an RFC) which add a layer of indirection using hashing to avoid the zone walking problem.
|
|||||||||||