DNS

Autor: Marian Otremba (marian_at_zeus.polsl.gliwice.pl)
Data: Fri 11 Apr 1997 - 04:54:59 MET DST

• Następna wiadomość: Dariusz Kolakowski: "darmowe ozdobniki do strony www"
• Poprzednia wiadomość: netzel_at_free.polbox.pl: "Szkola w internecie"
• Wiadomości sortowane wg: [ datay ] [ wątku ] [ tematu ] [ autora ] [ załącznik ]

Wyglada na to ze z powodu dzialalnosci hackerow bedziemy
musieli kodowac swoje nazwy komputerow.
Ponizej najnowsza informacja o tym.
Ciekawi mi jednak w jaki sposob hackery moga przechwycic
transmitowane pakiety i uzyc je do wlamania do komputera?.
Z drugiej strony opisywana nizej weryfikacja DNS przez
nameserwery poprzez klucze publiczne w/g mnie znacznie wydluzy
czas weryfikacji oraz znacznie zwiekszy zapotrzebowanie serwera
na pamiec. Koniecznosc zmniany oprogramowania to tez minus.
Jezeli jednak jest tak zle jak tu napisano to moze rzeczywiscie
bedziemy musieli ta zabe zjesc

  marian otremba

Book of Cyberspace by Simson Garfinkel

       6:00pm 9.Apr.97.PDT Today the Internet's domain
       name system (DNS) remains one of the
       networks' weakest links. DNS is the Internet
       protocol that translates host names, like
       www.hotwired.com, into IP addresses, like
       204.62.129.1. It's the phone book of cyberspace,
       but it's riddled with problems.
       Others have chronicled the political problems
       that the domain name system's top-down
       structure has created. Most of these problems
       involve Network Solutions Inc. (aka InterNIC),
       which manages the .com, .mil, .edu, .gov, .net,
       and .org top-level domains. NSI has been
       criticized for its handling of trademark disputes
       involving domain names and allegedly
       monopolistic practices.

      What's worse, the domain name system is
      fundamentally insecure. By transmitting rogue
      packets to a computer, a hacker or information
      terrorist can confuse that machine, cajoling it into
      contacting one machine on the Internet when it
      means to reach another. Under certain
      conditions, a hacker can use DNS spoofing to
      break into a computer. DNS spoofing can be
      used to redirect or steal electronic mail, intercept
      pages sent over the World Wide Web, or
      impersonate other Web surfers. It's easy,
      untraceable, and becoming more common all the
      time.

      Over the past few years, a working group of the
      Internet Engineering Task Force has developed
      an improved DNS - called DNSSEC - that solves
      the protocol's underlying security problems. The
      Department of Defense's Internet Infrastructure
      Protection program funded the technical work,
      which was in turn carried out by Trusted
      Information Systems. That organization has
      made a working implementation of the protocol
      freely available for download.

      DNSSEC uses public key encryption and digital
      signatures to certify every address that's
      resolved by the DNS system. Each domain is
      assigned a public key. When your computer
      looks up a host in a particular domain, it checks
      the signature on the host's response. This
      eliminates spoofing; the bad guys can still send
      you a bogus response, but they can't sign it with
      the matching private key.

      Besides strengthening the domain name system,
      DNSSEC can function as a database for
      distributing public keys. "Currently there is no
      protocol defined for publishing and automatically
      obtaining a public key for a user, a Web site, etc.
      DNSSEC can be used for this," says EFF
      founder John Gilmore, who is helping with the
      effort. "The keys themselves can be VeriSign
      keys, DNSSEC keys, Elliptic Curve encryption
      keys, or whatever."

      Getting the Internet to adopt DNSSEC is a
      three-step process, says Donald Eastlake,
      secretary of the DNSSEC working group. First,
      network administrators and webmasters need to
      create public keys and secret keys for their
      Internet domains, and store those keys in their
      DNS servers. Second, they must modify their
      nameservers so they provide signed responses
      whenever a DNS query is made. Finally, the
      major server software companies must modify
      the resolves - the programs that run on the
      desktop and translate domain names into IP
      addresses - to verify those signatures. But no
      company I am aware of has announced plans to
      incorporate DNSSEC into its DNS resolves.

      Signature verification also requires use of the
      RSA patent, and RSA Data Security hasn't yet
      given its go-ahead.

      But what's most disturbing is that few people in
      the computer industry - even those who work
      with computer security - have even heard about
      DNSSEC. It will have to gain a higher profile
      before it will fly.

• Następna wiadomość: Dariusz Kolakowski: "darmowe ozdobniki do strony www"
• Poprzednia wiadomość: netzel_at_free.polbox.pl: "Szkola w internecie"
• Wiadomości sortowane wg: [ datay ] [ wątku ] [ tematu ] [ autora ] [ załącznik ]

To archiwum zostało wygenerowane przez hypermail 2.1.7 : Wed 19 May 2004 - 16:03:47 MET DST