I bit the bullet and wrote an RFC ('to be')

Posted by bert hubert Tue, 09 May 2006 20:15:00 GMT

I’ve long been a somewhat active member of the relevant DNS mailing lists, ‘namedroppers’ and ‘dnsop’, both affiliated with the IETF DNS workgroups.

I consider myself a bit of an outcast in the DNS community as I don’t sing the praises of DNSSEC, nor BIND, but I suspect this is not entirely fair as there are quite a number of people who are far more outcast than I am. So I suspect I’m on the fringe of the DNS community in the sense that I incidentally take part in useful email discussion, either on list or privately with relevant parties.

I recently called upon nameserver authors and operators to either upgrade their nameserver so it performs adequate anti-spoofing measures, or switch to a nameserver implementation that does (like tinydns or of course PowerDNS).

This call fell on very deaf ears it appears. The BIND people promised to look into it but as noted then, without an apparant sense of urgency. Not a lot has happened since, except that I’ve reiterated my recommendation privately to a number of relevant people.

In the meantime, I’ve been told the Microsoft nameserver is about 4 times easier to spoof than BIND, but I’ve been unable to verify this.

So, I did what I never thought I’d do, I wrote something intended to be an RFC. In short, this RFC specifies that a recursor MUST implement adequate anti-spoofing measures, and details what this entails.

Read all about it as old school text or rendered as pretty HTML. The RFC-compliant output is made possibly by the interesting but quirky tool xml2rfc.

I’ll spend some more time polishing the document before submitting it as an Internet Draft. I also need to figure out the correct procedure to set things in motion.

I sincerely hope nameservers that are easy to spoof clean up their act quickly, hopefully even before my draft hits the standards track.

Posted in ,  | 12 comments | no trackbacks

Comments

  1. Leen Besselink said 1 day later:
    Here is some food for thought: If you really think that your solution is more secure and you are serious about making the internet more secure, you should change the license of the recursor so people can include it in there own products. :-)
  2. ahu said 3 days later:
    They are free to do so. I happen to believe in the power of the GPL to foster cooperation and not just incorporation.
  3. recipricol link said 217 days later:
    exchange links link partners backlink link service exchange program popular link exchange links exchange system exchange service web link exchange travel links exchange recipricol link
  4. fee said 342 days later:
    a lot of spam
  5. big naturals said 381 days later:
    Compilator for such programms like GenEngineCompile is impossible to install, why?
  6. my first sex teacher said 383 days later:
    Can anyone advice normal hosting provider? i don't need free like blogger, i need paid!
  7. teen models said 384 days later:
    Definetely try re-installing apache or try to trace path to server!
  8. tera patrick said 385 days later:
    I find this article useful for both beginners and skilled users, thank you!
  9. bang bus said 386 days later:
    Very nice article, thank you!
  10. bang bus said 386 days later:
    Here is better than anywhere, i probably will stay!
  11. we live<sp>together said 388 days later:
    I can assume this is most poweful blog system!
  12. bang bros said 389 days later:
    Very pleased to read this article!

Trackbacks

Use the following link to trackback from your own site:
http://blog.netherlabs.nl/articles/trackback/302

Comments are disabled