[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC goes to RFC
> Nesta Stubbs writes:
> > There are some other problems too I believe. I have worked for a decent
> > sized network who did all user authentication at the terminal servers for
> > dial-in accounts thru DNS. This wasn't too bad for just passws and
> > stuff, but wouldn't this cause some bloat in the nameservers database?
> HESIOD is an excellent demonstration that it works just fine.
> > As well as cause problems security wise when it comes to updates. Would
> > these automatically not be cached in any form by the site making the
> > request? This also causes a problem for smaller time people who perhaps
> > have a PPP/SLIP connection 24/7 but have nameserve done by their prvider,
> > and I for sure don't want my provider to be in control of those keys.
> Why not? After all, they are signed. You can have them held by your
> worst enemy and it should be just fine. Thats the idea of public key
Not only that but it's common now for DNS servers to give short TTL
for the answers (multiple A recs for load balancing), no big deal
to have pseudo-subdomains that are pointed at a different server
(Even over slip/ppp) than normal name service.
I believe the root servers answers for intermediate nodes are cached
normally, so key.george.bub.com doesn't cause a root hit after
bub.com has been resolved.
Quite a few domains do run their own name servers, and it's not too tough
to create auto-update scripts, etc.
There's no reason that DNS has to be the only mechanism. Default
to one method then fallback to others, like direct IP port connection
Stephen D. Williams 25Feb1965 VW,OH (FBI ID) [email protected] http://www.lig.net/sdw
Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011
OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W
Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95