[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC goes to RFC

> Nesta Stubbs writes:
> > There are some other problems too I believe.  I have worked for a decent 
> > sized network who did all user authentication at the terminal servers for 
> > dial-in accounts thru DNS.  This wasn't too bad for just passws and 
> > stuff, but wouldn't this cause some bloat in the nameservers database?  
> HESIOD is an excellent demonstration that it works just fine.
> > As well as cause problems security wise when it comes to updates.  Would 
> > these automatically not be cached in any form by the site making the 
> > request?  This also causes a problem for smaller time people who perhaps 
> > have a PPP/SLIP connection 24/7 but have nameserve done by their prvider, 
> > and I for sure don't want my provider to be in control of those keys. 
> Why not? After all, they are signed. You can have them held by your
> worst enemy and it should be just fine. Thats the idea of public key
> signatures.

Not only that but it's common now for DNS servers to give short TTL
for the answers (multiple A recs for load balancing), no big deal
to have pseudo-subdomains that are pointed at a different server
(Even over slip/ppp) than normal name service.

I believe the root servers answers for intermediate nodes are cached
normally, so key.george.bub.com doesn't cause a root hit after
bub.com has been resolved.

Quite a few domains do run their own name servers, and it's not too tough
to create auto-update scripts, etc.

There's no reason that DNS has to be the only mechanism.  Default
to one method then fallback to others, like direct IP port connection
for query.

> .pm

Stephen D. Williams 25Feb1965 VW,OH (FBI ID) [email protected] http://www.lig.net/sdw
Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011
OO/Unix/Comm/NN       ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W
Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95