[dnssec-deployment] Cisco products, DNSSEC and EDNS0
Doug Barton
dougb at dougbarton.net
Wed Oct 12 12:31:42 EDT 2005
Patrik Fältström wrote:
> Ok, let me turn this around.
>
> As a manufacturer of something that protects something from bad
> traffic, we want to make sure we don't block legitimate traffic, but at
> the same time block the bad packets.
Ok, so let me turn it around the other way. :) What is the risk of making
the default setting to allow packets up to the limit of EDNS0 (i.e., the
current spec), and do those risks outweigh the benefit of making the thing
"just work" with modern DNS? I think Ed's post highlights the problem very
well for me, which is that this issue can only get worse, not better, and
therefore we better be sure that what's deployed now will still be valid N
years from now, because we all know how likely most network admins are to
keep things patched, etc. BTW, I don't know the right answer to this
question, it might very well be that there are huge risks in allowing big
packets by default, but I'd be interested in the risk/benefit analysis here.
I'd also like to point out that I agree with the idea of having a knob, and
I think that sites who do their own analysis and know their own needs ought
to be able to set whatever limits they want. I just want it to work out of
the box for the less sophisticated users, providing that we're not opening
up big holes in their security by doing so.
Doug
More information about the Dnssec-deployment
mailing list