Re: [Fed-Talk] DCO Chat on Mavericks
Re: [Fed-Talk] DCO Chat on Mavericks
- Subject: Re: [Fed-Talk] DCO Chat on Mavericks
- From: "Beatty, Daniel D CIV NAVAIR, 474300D" <email@hidden>
- Date: Tue, 18 Feb 2014 18:10:45 +0000
- Thread-topic: [Fed-Talk] DCO Chat on Mavericks
Hi Henry and Shawn,
It is interesting to see where this thread began, and observe a trend of needs in both cloud and ubiquitous computing. I know that Open Grid Forum (OGF) is working on a secure form of DNS as a newer standard. Like all standards, it requires a good study and prototype development to fully understand the requirements.
In the case of a KDC or PKI setup performing a reverse lookup on a service, the issue of load balanced services comes up. Worse, what if that service can move without system administration action? Clearly research designs need to be thought up and tested to push what understanding has already emerged from both the Kerberos and PKI communities. How do we fund it and encourage such participation?
V/R,
Daniel D. Beatty, Ph.D., CSDP
Senior Computer Scientist,
Detonation Sciences Branch- NAWCWD
1 Administration Circle M/S 1109
China Lake, CA 93555
(760)939-7097
email@hidden
________________________________
From: fed-talk-bounces+daniel.beatty=email@hidden [fed-talk-bounces+daniel.beatty=email@hidden] on behalf of Henry B Hotz [email@hidden]
Sent: Friday, February 14, 2014 1:25 PM
To: Shawn A. Geddis
Cc: Fed Talk
Subject: Re: [Fed-Talk] DCO Chat on Mavericks
On Feb 14, 2014, at 12:38 PM, "Shawn A. Geddis" <email@hidden<mailto:email@hidden>> wrote:
Henry,
It is always good to file a report, so I would encourage you to do so.
Noted ;-) I'll have to think how to describe it, but this thread is helping.
BTW, the use of DNS reverse lookup is not a recent OS implementation and it does have value. I would agree that wide deployment of DNSSEC would in fact be a very good move, but the “widespread deployment” is the issue as of now.
Kind of my point. ;-)
With a lack of that, the reverse lookup adds value to ‘further’ identify potential problems - it is not the only way. I would argue that in no way is this allowing or causing a DoS of the endpoint as you posit.
- Shawn
I'll grant you that it's not generally a hostile DoS, usually just a bureaucratic one. If someone *wants* to DoS something there are better ways to do it. However if someone hostile (and competent) is mucking with DNS, it's good cryptographic protections which are going to detect and block the attack, not an extra DNS lookup. The problem will look exactly like what started this thread, and it's a bad idea to have your protection system generate false warnings.
I would argue that the Kerberos community has a lot more experience with this issue than the PKI community. Practically speaking it's a significant deployment problem.
I've been finding new variations on this problem at least once/year for the past 10 years.
Personal email. email@hidden<mailto:email@hidden>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden