[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNS Security



Hello,

I am writing to strongly urge that the DNS Working Group formulate its
security requirements and provide them as input to the IP Security 
Working Group.  This is motivated by two concerns:

(1) I am concerned by the ever growing number of different
cryptographic security protocols in the IP protocol suite.
	Certainly I do not think that a single protocol could cover
all requirements.  For example, e-mail security has many special
considerations and its traffic extends well beyond the IP Internet so
it is reasonable that its needs are different from those of TELNET,
for example.  But do TELNET and FTP and NNTP and DNS and NFS and NTP
and so on, seemingly without limit, all require the addition of a
specially crafted security protocol, new commands, etc.?
	The IPSEC WG is concentrating initially on host-to-host
network level security which seems to fit the bill exactly for DNS.
In fact, DNS to me to be a relatively simple case where hosts are the
parties of interest and possible questions of identifying individual
users are the like do not complicate things.

(2) I am concerned that there may be a lack of attention in the IPSEC
WG to requirements related to sporadic datagram traffic, such as UDP
DNS queries, ICMP redirects from routers, etc.  The IPSEC WG seems to
be concentrating mainly on proposals patterned after "connection
oriented" ISO protocols.  By this I do not mean that the proposals
will only work for a connection protocol like TCP but rather that they
always require set-up, critical state at both ends, and tear down,
even if all you are tying to do is push through one secure datagram.
I believe an IP network level security protocol should have efficient
ways of handling isolated datagram traffic, including DNS
transactions, router originated ICMPs or various sorts, etc.  Even if
there have to be "two protocols", one for isolated datagram traffic
and one for more connection like continuous traffic between hosts (or
subnets), it would be good to consider them simultaneously to maximize
their alignment.

I believe consideration of the DNS security requirements by the IPSEC
WG would be beneficial to both and now is the time for requirements
to be fed into the IPSEC working group.

Donald

PS:	I have sent mail to namedroppers-request asking to be added to
the DNS WG mailing list but don't know just when this will happen.  In
the mean time please CC me.

*+-+*+-+*+-+*+-+*+-+*+-+*+-+*+-+*+-+*+-+*+-+*+-+*+-+*+-+*+-+*+-+*+-+*+-+*+-
 Donald E. Eastlake, III     1-508-486-2358(w)     dee@skidrow.ljo.dec.com
 PO Box N, MIT Branch PO                           dee@ranger.enet.dec.com
 Cambridge, MA 02139 USA     1-617-244-2679(h)



Follow-Ups: