[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-dnsext-forgery-resilience-01.txt

To: Paul Vixie <paul@vix.com>
Subject: Re: draft-ietf-dnsext-forgery-resilience-01.txt
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Date: Fri, 16 Nov 2007 12:55:14 -0200
Cc: namedroppers@ops.ietf.org
In-reply-to: <27988.1194879471@sa.vix.com>
References: <20071110214233.GB8260@laperouse.bortzmeyer.org> <87sl3biytx.fsf@mid.deneb.enyo.de> <27988.1194879471@sa.vix.com>
User-agent: Mutt/1.5.15+20070412 (2007-04-11)

On Mon, Nov 12, 2007 at 02:57:51PM +0000,
 Paul Vixie <paul@vix.com> wrote 
 a message of 24 lines which said:

> there's no consensus that even a ~31 bit pseudo random combination
> of source port and query ID is good enough to have confidence that
> any given answer was really received from a purported server.

As mentioned by Bert, we do not try to achieve the same result as
DNSSEC. We try to raise the bar for the attacker. A sort of
Better-Than-Nothing security.

> there is also no consensus on the meaning of "good" in the context
> of "good random source".  some say arc4random is fine, others say
> it's too weak.

Hence the idea to delegate the whole point to RFC 4086, which is
already written.


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Paul Vixie <paul@vix.com>

Prev by Date: Re: draft-ietf-dnsext-forgery-resilience-01.txt
Next by Date: Re: draft-ietf-dnsext-forgery-resilience-01.txt
Previous by thread: Re: draft-ietf-dnsext-forgery-resilience-01.txt
Next by thread: Re: draft-ietf-dnsext-forgery-resilience-01.txt
Index(es):
- Date
- Thread