Re: [Fed-Talk] DCO Chat on Mavericks
Re: [Fed-Talk] DCO Chat on Mavericks
- Subject: Re: [Fed-Talk] DCO Chat on Mavericks
- From: Henry B Hotz <email@hidden>
- Date: Fri, 14 Feb 2014 13:25:20 -0800
On Feb 14, 2014, at 12:38 PM, "Shawn A. Geddis" < email@hidden> wrote: Henry,
It is always good to file a report, so I would encourage you to do so.
Noted ;-) I'll have to think how to describe it, but this thread is helping. BTW, the use of DNS reverse lookup is not a recent OS implementation and it does have value. I would agree that wide deployment of DNSSEC would in fact be a very good move, but the “widespread deployment” is the issue as of now.
Kind of my point. ;-) With a lack of that, the reverse lookup adds value to ‘further’ identify potential problems - it is not the only way. I would argue that in no way is this allowing or causing a DoS of the endpoint as you posit.
I'll grant you that it's not generally a hostile DoS, usually just a bureaucratic one. If someone *wants* to DoS something there are better ways to do it. However if someone hostile (and competent) is mucking with DNS, it's good cryptographic protections which are going to detect and block the attack, not an extra DNS lookup. The problem will look exactly like what started this thread, and it's a bad idea to have your protection system generate false warnings.
I would argue that the Kerberos community has a lot more experience with this issue than the PKI community. Practically speaking it's a significant deployment problem.
I've been finding new variations on this problem at least once/year for the past 10 years.
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden