Internet slows down after DNS attack on Spamhaus
Christopher Browne
cbbrowne-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Thu Mar 28 16:19:42 UTC 2013
On Thu, Mar 28, 2013 at 10:48 AM, Neil Watson
<tlug-neil-8agRmHhQ+n2CxnSzwYWP7Q at public.gmane.org> wrote:
> On Thu, Mar 28, 2013 at 10:39:25AM -0400, Lennart Sorensen wrote:
>>
>> Plain old DNS is insecure. This is part of why DNSSEC is being pushed,
>> but not very many places are using it.
>
>
> I want to like DNSSEC, but its complexity is off putting. Security
> should be simple. Inconvenient perhaps but still simple.
It's desirable for security to be simple; that doesn't guarantee that it
will be so.
What's unfortunate about DNSSEC is that it seems to make a bunch of
behaviours more brittle and prone to break down, which is, in the
"availability" sense, counter to 'good security.'
There are inherently conflicting purposes here...
- If I want to connect to my bank's web site, it is a pretty bad thing
if I cannot connect to it.
- It is also a pretty bad thing if I get "spoofed" onto another web site.
Unfortunately, introducing DNSSEC increases the set of ways that I
might discover that I can't connect to my bank's web site. It's not
obvious that customers will consider that to be a "feature."
--
When confronted by a difficult problem, solve it by reducing it to the
question, "How would the Lone Ranger handle this?"
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list