Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Internet

Bind, Safer DNS, and IPv6 89

resistant writes: "This article at Network World Fusion (seen at Linux Today) says, "In addition to DNSSEC, BIND 9 features support for IPv6, the ability to run on multiprocessor systems and improved scalability for handling large domain name zones." The urgent need (by Nike anyway, heh-heh) to forestall easy domain hijacking could be the sleeper issue that finally ushers in universal implementation of IPv6."
This discussion has been archived. No new comments can be posted.

Bind, Safer DNS, and IPv6

Comments Filter:
  • Try 2^128 in IPv6. And of course, not all of those 2^32 in IPv4 are available - large chunks are reserved for things like multicast. Plus since addresses are distributed in blocks, while there may be many unused addresses in some of those blocks, they aren't available for other ISP's to use.
  • by resistant ( 221968 ) on Friday October 20, 2000 @05:42AM (#689814) Homepage Journal

    I must be a moron. I can't get NetSol to change my contact information, delete a domain, or change the technical contact info on a domain.

    I've had to do updates [networksolutions.com] at "NetSOL" several times, and these people are scary. I swear they purposely make their site and procedures nearly impossible to decipher. For what it's worth, I stopped having excessive trouble with their automated email-verification scripts (this was a while ago) after realizing (after much hair-tearing) that it is extremely important to be sure that the lines are not wrapped by your email client, in the "template" forms that you email back to them. Also, there must be a space between the colon at the end of each record-descriptor, and the content following on that line (if any). Or, is it must not be a space? Geez, emulate whatever is on the other lines, you know?

    It's been a while and this may be obsolete, or slightly mangled in exact detail. I've never had to resort to the infamous fax procedure [networksolutions.com], and can offer no useful advice on that except to keep on hand a bottle of Aleve, or "other" measures to relieve pain and suffering.

    I've since snuck out the back way to a more friendly [jhcloos.com] (OpenSRS [opensrs.org] reseller [opensrs.org]) registrar with password protection and decent security, not to mention immeasurably more useable automated scripts for Web-access account management.

  • Network vendors *like* scarcity because they can charge more. Look at any ISP -- the cost structure is something like:

    $x) dynamic, non-routable NAT'd addresses
    $x) static, non-routable NAT'd addresses
    $xx) dynamic, routable addresses
    $xx) single static routable address
    $xxx) CIDR-block from provider
    $2500 and up) ARIN-assigned /19-/16
    $10,000 to $20,000) ARIN-assigned /16 or greater

    Provider-sourced CIDRs are often "free" with high-speed dedicated service like DS1/DS3 but they'll nail you if you want more space. Where I work we have some /24s that we own and still manage to get routed, but only because we're with a provider we've been with forever. When we leave, we're fucked.

    Home users? I pay a premium for DSL static IP. I'm not sure if they even sell it to modem users anymore.

  • by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Friday October 20, 2000 @05:50AM (#689816) Homepage Journal
    Benefits of IPv6:

    • Mandatory IP security
    • Mandatory Quality of Service, via flow control
    • Guaranteed mobile IP addressing
    • Automatic Network Configuration, for Heirarchies
    • Simpler Headers == Quicker Routing
    • Mandatory Anycasting
    • Mandatory Multicasting
    • Mandatory Connection Fail-over Support
    • IDRP Routing Protocol
  • by Grit ( 18830 ) on Friday October 20, 2000 @07:22AM (#689817) Homepage
    Mandatory IP security
    Which could be one of the things holding v6 deployment back... If end-to-end IPSEC hasn't been deployed in IPv4, simply "mandating" it in IPv6 doesn't make it easier to do. It just ensures that any IPv6 host might accept IPSEC packets from you--- about what you can assume today. (The mere presence of IPSEC capability on a host says nothing about your ability to use IPSEC to communicate with them.)

    Mandatory Quality of Service
    Lots of IPv6 marketing claims "improved QoS". Most of these claims seem to be based on the presence of a "flow identifier" field in the IPv6 header. A flow identifier alone doesn't do any good without some system to identify meaning to it. Again, QoS doesn't become easier to implement and deploy just because IPv6 requires it. Just because the feature's there doesn't mean the router does anything meaningful with it. (I would welcome any correction--- perhaps I just haven't seen the relevant specification?)

    Guaranteed mobile IP addressing
    Sure, IPv6 mobility is a better design than current IPv4 mobility. (Now, I happen to think that mobility needs to be handled above the IP layer, but that's an argument for another time...) But there's nothing "guaranteed" about it. In fact, IPv6 mobility depends on having a "AAA" structure, the design of which is still being worked out. Even with the architecture there, "guaranteed" is too strong a word--- only a network's willingness to provide the service gives you the ability to use it.

    Automatic Network Configuration
    "for Hierarchies?" I don't understand that. Many people view autoconfiguration of devices as a useful thing. But there's no direct support for ad-hoc networking, which is what I tend to think of as "automatica network configuration".

    Simpler Headers == Quicker Routing
    Software implementation == magnitudes slower routing. So you see a big disadvantage to going to "native" IPv6 until people start creating forwarding hardware for it. Which is expensive, since now you have to have a 128-bit data path (or 256-bit, if you route on source and destination--- as you do for multicast) rather than a 32-bit or 64-bit data path. Perhaps you're referring to the simpler option design? I admit it's worlds better. But in the real world, most packets don't come with options (and those that do get punted up to software), so the real cost is routing lookups. IPv6 claims to make routing tables smaller (using the strict addressing hierarchy)--- we'll see--- but even if they stay the same size, the prefix match gets longer--- which requires either more memory accesses or bigger ternary CAMS. No guarantee of quicker routing in any way.

    Mandatory Anycasting
    I don't like anycast. It's generally not responsive to higher-level failure, but since it's at the network level, you might be stuck with an unresponsive server for a while. Multicast is a better design decision in the local area.

    Mandatory Multicasting
    We've had (multi-source) multicast for longer than the Web. It hasn't really been deployed worldwide for a variety of reasons. (Hard to route, hard to bill, hard to debug...) Making it "mandatory" only increases wariness about deploying IPv6. Also, single-source multicast (SSM) looks like it may actually go somewhere, has no address shortage, and is much easier to route and debug. But you don't need to go to v6 to use it.

    Mandatory Connection Fail-over Support
    I must plead ignorance to this one, too. However, IPv6 can make multihoming your network a much more difficult problem, since you receive different address ranges for your machines from each of your ISPs. Yet, the entire IPv6 address is the endpoint identifier. So, esentially, your choice of address locks you into a particular ISP. Various tunnelling designs have been suggested to improve this, but they increase the complexity of the network. (To be fair, it's not too much worse than multihoming in IPv4--- unless, like Stanford, you already have an AS number for BGP and are not likely to get a TLA in IPv6. Why upgrade?)

    IDRP Routing Protocol
    Again, I must plead ignorance. But why can't this routing protocol (if it's a good idea) be done with v4?

  • DNSSEC and IPv6 are independant but complementary. DNSSEC allows the authentication of DNS data. IPv6 uses composite addreses (A6 records) thus it is imporant to be able to authenticate all the A6 records used to compose the 128 bit address.
    A good short introduction to DNSSEC [pgp.com],it is little bit out off date as the DNSSEC standards have changed.
  • To talk to an IPv4 network interface you need an IPv4 address. If you don't have one (i.e., you're a v6-only host), the only way to get one is to go through a protocol-translator. Basically, a NAT box that multiplexes the same v4 machine to multiple v6 addresses. Which makes the decision to go to v6 rather than using NAT (especially if you already are using private addresses) somewhat less appealing, in my opinion.
  • Bah yourself.

    Think of it this way. IP normally allows you to make certain assumptions, like "one IP, one network interface". That is of course not true in the presence of NAT.

    NAT's a cute hack for a thorny problem, but it really plays havoc with the topology of the IP address space, and in the long run I think it's a lousy idea.

    And its firewalling is a side effect. People should firewall because they understand the need for firewalls, not because they get it for free when they segment the IP address space.

    --
  • This bug exists in the sendmail 8.9.3 that ships with Solaris 8. It tries the AAAA record first, and if there is an older BIND serving the domain, it will answer with a SERVFAIL if it does not have some other RR for that name. The correct response is an empty one. So mail bounces quite often, until you install sendmail from source.

    This happens whether or not the Solaris host has any IPv6 interfaces, and regardless of the settings in nsswitch.conf for the ipnodes namespace.

  • by Grit ( 18830 ) on Friday October 20, 2000 @07:36AM (#689822) Homepage

    Excellent point, thank you for making it. The deployment of an IPv6-aware DNS server is just one small step. It doesn't address the larger issues involved in deploying IPv6. And I'm somewhat annoyed at CmdrTaco for implying that it does. If all people want is DNSSEC, then that's all they're going to install and configure--- the fact that the software can handle IPv6 is going to be of very limited interest to them.

    Or possibly even a source of annoyance if their software starts sending out v6 address requests before looking for the v4 address. I know somebody who has gotten burned by this--- he upgraded his system to support IPv6. The name lookup tries AAAA first, then A. Well, Stanford's load-balancing DNS server returns the wrong thing to the first request ("name not present", basically, rather than "that name exists but we don't have any v6 addresses"), so the nameserver caches the negative answer and returns it in response to the 'A' query as well. Oops, suddenly he can't log into the computer cluster using the normal domain name. It's true that this is a bug with the load-balancing software, not IPv6. It's just yet another hurdle to overcome.

  • We may have already created the "next" NSI.
  • Can I use DNSSEC today?

    Yes.

    Have the registrars announced any kind of plan or timeline for implementing it?

    No.

    So its use is restricted to your private LAN, where you are your own certificate authority.

  • well the problem with the colon is that you have to press shift to type it, and then let go because numbers have to be typed without shift. there is also no colon on the number pad... well, i think most of us will just have to worry about typing in names so i don't think it will be bad..
  • Comment removed based on user account deletion
  • Look, DNS security problems are mostly fixed in BIND R9, and I"m not sure why we even want to bring up the subject of IPv6, and in case it is not clear, here is the statement I can bet on: migration to IPv6 won't happen in foreseeable future primarily due to the cost of conversion on Internet Backbone. 1st tier providers simply have no incentive to move to IPv6. This is simply not the issue. There are some really hot issues ISPs have to deal with such as Policy Routing, Multicasting, QoS. Please don't tell me IPv6 will help with any of these staff. It won't. For instance the fact that there are some traffic discriminators imbedded into IPv6 packet header is completely irrelevant. There are ToS bits in IPv4 as well, but more to the point, these are the routers, stupid, which must inforce some QoS policies. I've worked for such an ISP for several years and trust me - the issue of migrating to IPv6 never ever came up. Period. By near future I mean say next 5-6 years, but I doubt it will happen after that time either.
  • ?Has anyone tried this?

    Tried it? I rely on it when all else fails and I can't get a customer's domain information changed any other way!

  • ZoneAlarm is free...

    Costs us a bundle. I am the one who (among other things) answers the abuse@ email box for my company, and ZoneAlarm generates an awful lot of false alarms, and my salary is not exactly entry-level. I should charge them for my time.

  • Yeah. In less than 2 years since I wrote that paper, NAI has changed the URL about 6 times, without ever leaving a redirect in place.

    You're right, currently, a bind 9 server cannot handle DDNS from an MS client. We hope to have that working at some point in the future. Another possibility (which doesn't always work, of course), is to let the DHCP server send updates for clients, which means that only the DHCP server needs to authenticate to the server. I know this doesn't work in all cases, but I'd also never advocate using an MS client :)
  • Um, troll, anyone?

    > T. Lee

    The creator of the web?

  • This discussion brings to mind the question: why would an always-on connection want to alter the IP on you anyway? They've got to assign something, so what good is it doing them?

    Because they don't actually understand what they are doing.
    It makes some sense with a dialup in that IP addresses can be assigned to phone lines, routing is simpler and the ISP only needs as many IPs as they have phone lines, not as many as they have customers.
    With a cable modem or ADSL setup the ISP needs as many IPs as they have customers, also changing the IP can complicate things such as routing.

    The only reason that I can think of is that it makes it tougher to operate your own server, which a lot of services don't like to have you doing.

    Except that there are some trivial ways for the customer to run several kinds of server on a dynamic IP. Also the ISP needs to keep records of who had which IP when, for handling abuse. As well as still having the risk of, one idiot getting the whole ISP barred from from service or other.
  • IPv4 has a 32-bit address-range (duh!) which means there are 4,294,967,296 different addresses.

    Except that a fair portion of these are special purpose or otherwise unusable. Also they can only be assigned as a 2^x block (where 2 are special purpose). So eeven if you could assign IPv4 addresses with minimal wastage the actual figure is rather less that 4 billion
  • For Corporate Use, yes. But I was talking about generic $windozeuser. . .

    At work, I use IPChains. . . .

  • But why would you give every person on Earth their very own IP address? Give each family their own IP address and then have them run NAT.
  • But why would you give every person on Earth their very own IP address? Give each family their own IP address and then have them run NAT.
    yeah, but most companies are gonna want their own IP, same as schools, libraries, governments, organizations ... staying with 4G addys (some of which can't be used - see previous posts) would make things pretty tight
  • Comment removed based on user account deletion
  • It's just a start, but if you head to this link you can get a preview stack for Windows 2000 SP1. http://msdn.microsoft.com/downloads/sdks/platform/ tpipv6.asp
  • If $user is stupid enough to not use a firewall on any net-attached device he/she/it richly deserves the consequences. . . After a few wipes and re-installs, or more likely, expensive and inconvienient service calls to $pccompany, they'll learn. ZoneAlarm is free, and Norton's Personal Firewall is fairly simple to use, and isn't bad for a Norton product. . .
  • I've already implemented IPv7 on my LAN. It's really cool, all devices connected via IPv7 are automagically added to a Beowolf cluster. Even your toaster.


    jred
    www.cautioninc.com [cautioninc.com]
    caution, inc.
  • IPv6 (Or IPNG, whichever you prefer) does not support any kind of backwards compatibility natively...

    To answer this technical difficulty, people have the option of using IPv4 tunneling over IPv6, or IPv6 tunneling over IPv4.

    IPv6 over IPv4 allows for IPv6 machines to engage in IPv6 networks on non IPv6 ISPs, and IPv4 over IPv6 could be used to link legacy machines over IPNG networks.

    Furthermore, nothing says a person cannot use a dual stack system - this would be very similar to running IPX or NetBEUI (Wah!) on a machine that runs IPv4 - I could be 3ffe:b00:c18:1fff:0:0:0:287 and still have 205.179.127.117.

    One other thing about IPv6: It does not use subnet masks. Like the good old days of the net, the route to any host can be identified by the IP of the machine in question.

    From Cross Nodes [earthweb.com]
    The IPv6 global aggregation addressing architecture splits addresses into two parts. The high-order 64 bits identify the network, and the low-order 64 bits identify the node. A format prefix gives the type of IPv6 address. Next comes a top-level aggregation entity, likely to be a country or a large carrier, followed by 8 bits reserved for future growth. Then comes another aggregation entity, likely to be a large company or Internet provider, and finally a site-level aggregation entity, probably assigned by the entity above it. Such addresses are far more efficient to route across backbones.


    Aggregation means any address contains its own route. The first few bits of the address might indicate, say, Europe. The packet would go to a router serving Europe, which might see Portugal in the next few bits and forward the packet to Portugal's router. From there, the packet might go on to a router in Lisbon and then on to its final destination.

    Figure 2 shows that the Top-Level Aggregation ID (TLA) uses 13 bits. This gives an upper limit of no more than 8,192 (2 to the 13th power) top-level entities, which pares down the size of the routing table a backbone router would have to deal with to forward packets anywhere in an IPv6 Internet. The next 8 bits are reserved, presumably held back, just in case the TLA allocation should be bigger (or the Next-Level Aggregation ID allocation should be bigger).

    NLA entities are expected to include large ISPs, among others. These entities get their address allocations from the TLAs, who also handle routing for the NLAs. Each TLA can allocate as many as 16 million or so NLA networks (2 to the 24th) The NLAs, in turn, can allocate as many as 65,536 networks each (2 to the 16th) to Site-Level Aggregation (SLA) entities. In other words, network sites. And each SLA entity still has 64 bits of address space to play around with, for as many as 18 million trillion (18,446,744,073,709,551,616) nodes per network.
    Obviously, using this scheme we will probably waste a lot of IP addresses, but there should be more than enough networks to relieve our IPv4 induced shortages.

    One other item of interest is that your SLA entry should now be based on your hardware ethernet address. This may make large networks easier to manage without DHCP.

    If you are interested in IPv6, I highly recommend you read the full article, linked from here [earthweb.com]. (The next version of the Internet protocol -- IPv6)

    As for my opinion of this: the sooner the better. I'm loving the security measures Ipv6 will implement. Finally I'll be able to deal with 31337 k1dd13z who thinks ICMP floods are fun.
  • Damn it, I can't find the reference, but I remember reading that Windows 2000 DNS servers implement the security aspects differently than DNSSEC so they are incompatible with each other.

    So how can the net itself adopt this when it isn't supported by Microsoft? It's going to be a non-issue like Microsoft not yet supporting ipv6 so therefore it's not going anywhere...

    This isn't a troll, it's just the real world. Microsoft effectively is controling it all and me jumping up and down screaming that "it ain't right" or "it's not standard" isn't going to help. If, for example, I'm forced to support Active Directory down the line, I'm also going to be forced to migrate DNS to Win2k DNS servers because the authentication used by MS clients for DDNS updates is incompatible with DNSSEC and it's either go with a Microsoft solution or losen security on my DNS servers and then anyone can spoof an update into my DNS server and make dynamic updates. :(

  • IPv[46] has a version field as the first field in the header. IP implementations are supposed to check this field to determine what version the following header/packet is. Several ways of transmitting IPv6 and IPv4 at the same time are:

    1) have two seperate IP protocol stacks - read the version and send the packet to the correct stack to handle.
    2) encapsulate IPv6 into an IPv4 header (like multicast is done now) when it reaches a router that knows the next hop doesn't understand IPv6

    The second option requires a change in routing protocols or administrator interference with static routes. (ie you have IPv6 in your site, at your border router, you'll have to encapsulate all outgoing packets into IPv4.
  • Home users? I pay a premium for DSL static IP. I'm not sure if they even sell it to modem users anymore.

    My cable modem IP is supposedly 'dynamic' but the DHCP lease has never renewed to a different number. I wonder if you called their bluff and said, "yeah, convert me to dynamic" whether you'd ever get a different one, really? At any rate, my brother has a dynamically-assigned cable modem IP thru another company, and his does indeed change. For various reasons, he doesn't want that behavior and has discovered that if he keeps a socket connection going at all times, the IP won't be changed on him. He's programmed a little script to make sure he's always got a socket active. Maybe something like that would work for you.

    This discussion brings to mind the question: why would an always-on connection want to alter the IP on you anyway? They've got to assign something, so what good is it doing them? The only reason that I can think of is that it makes it tougher to operate your own server, which a lot of services don't like to have you doing.

  • I couldn't switch to dynamic without changing providers, so that's kind of out. I've heard both stories from people with DHCP-based service -- either its the same address as long as the machine is on, or it's something like "it changes frequently".

    You actually *wouldn't* want an always on connection to change. My guess is that places that force a re-negotatiation of the IP lease on a regular basis do so just to prevent servers -- which is another factor in the cost structure. If you want an always-on-we-don't-care-what-servers-you-run service, there's often a premium to be paid for that as well (in addition to the static IP charges...).

  • What happened to IPv5 anyway?
    I believe, another protocol developed at the same time as IPv4 had a similar version field to that of IPv4, but the value was 5 instead of 4. So to avoid confusion with this rarely used protocol, they skipped to v6.
  • Everyone who for a second believes that IPv6 is going to leave anyone out in the cold when it comes time to upgrade hasn't read a SINGLE document describing it. Here is a link [sun.com] for you. Click it. Now. Don't tell me I didn't warn you. That link is a semitechnical overview of IPv6, but for some more important details, see the RFC describing the new sockets system [ipv6.org].

    One thing I want you to get absolutely sure is that IPv6 is fully backward compatible with v4 AND you can switch an individual host or router from v4 to v6 without cutting out any of your v4 customers. From the first link:

    Ease of transition is a key point in the design of IPng. It is not something [that] was added in at the end. IPng is designed to interoperate with IPv4. Specific mechanisms (embedded IPv4 addresses, pseudo-checksum rules, etc.) were built into IPng to support transition and compatibility with IPv4. It was designed to permit a gradual and piecemeal deployment with a minimum of dependencies.

    BTW, another poster made a comment about how 'IPv6 is dead till it ships in a microsoft stack. When it does, IPv6 will be real instantly.' What kind of idiocy!?! Did IPv4 just suddenly become important because Microsoft added it to Win95?!? And besides, with something as important as the IP, no one company (or two, even MS + Cisco have their limits) can dictate what and how it will be. Why don't you go and write some applications that use IPv6 in a way that people want and can't be done in IPv4. Then, and only then, does it become real.


    --------
  • Sure, there will always be lazy programmers who will access internal data structures directly, rather than using the functions meant for that purpose. For instance, when I write a telnet clone, how do I fill out the address part of a struct host_addr entry? using atoi? No, I use a nice function called get_host_by_name (or maybe get_host_by_addr is a better equavilent). As input to this function I send the DNS name of the machine I want to connect to, or its IP address.

    I've spent some time working in kernel space (doing device drivers for proprietary hardware) and someone out there has come up with the idea that a process should be able to handle more than 32 signals (ie the number of signals that fit conveniently into a 32 bit long). Solution? Make the sig_set field bigger, and present some clever functions to set, clear and tests individual signals, as well as sets of them. As long as everyone use these functions instead of accessing the data structures directly, it doesn't really matter how wide the sig_set field is.

    As of now, most of these functions are inlined (probably for speed reasons), but if they are not, it means that even if the physical layout of the structure in memory was to change , programs using the functions would keep on working.

    It's called "defining an interface", and it's a Good Thing (tm) - most of all when there is some reason to change the internals of something, without needing to change the way it works from the outside.

    Still, your concern was what will happen in the transition period, before all systems on the 'Net has switched to the new standard. Probably, the "compatibility" will be backwards-only, and most servers will keep an v4 address just so machines running old software can still access them. However, cleanly written software (using the functions present) will see no real difference at all - they use a different domain for their sockets, but they'll use the same structure (I believe struct host_addr is typedef'd as struct host_addr_ip4 or something similar - the glibc guys will just change that to struct host_addr_ip6).

    OK, this is tonnes more than I'm used to write, so I've probably not really said everything I planned to say, but I hope you'll see that (assuming smart programmers) it's not gonna be a big change to update the protocols.
  • We really aren't in that big of a hit for ip addresses yet. If you do a random sample of reverse dns lookups on the whole address space, you'll end up getting an idea of how many ips have been deployed by the number of ips with reverse setup on them. Out of a sample of 10,000, only ~250 actually have reverse dns setup. Err on the side of caution and say 5% and you still have plenty to grow. Nothing above 226.0. has been deployed yet and it's currently held for research/multicase and could be redesignated for public use.

    Dan Berstein (Qmail) was the one who suggested the scan. Link here [cotse.com]

    Nonetheless, IPv6 is still a good idea because NAT breaks too many things. But we're nowhere near as desperate as they make it out to be.
  • A napkin calculation shows that there is a rough equivalency between IPv6 addresses and nanometers on the surface of the earth. Someone should check my math.
  • The problem with NAT* is that it doesn't work well for any protocol that includes the IP in the data. Protocols like ICQ, IRC, et al, while buggered because they do this, cause a world of pain with NAT. IP Masq gets around this with special modules that recognize the packets and modify the data as well but that's a hack.

    Other protocols, like non-passive FTP, require stateful NAT machines or more kludgy hacks. "Ok now, which internal IP just connected to anime.pr0n.net?" Incoming connections don't work at all unless you reserve the port on the NAT box and forward it off. Even then no two internal IPs can use the same port. Again, things like Apache and proftpd have ways around this but again, they're hacks on top of a system that happen to work for that particular system.

    NAT isn't an end-all, be-all solution. It works amazingly well for some things, but not for others.

    * - I'm leaving out many-to-many NAT here because that would require the NAT machine to listen on just as many IPs as having the machines behind the NAT on the network in the first place.

  • Ummmm.... global warming is real, but you clearly don't understand it based on your comments. I urge you to read PRIMARY SOURCES and not /. hosers like myself; in particular look at the Mauna Loa data and the antarctic ice cores.

    And yes, we already ran out of IP addresses, which is why 10.x.x.x packets hit my firewall from the Internet at large constantly. Portable address blocks are no longer available to small businesses, you have to be an ISP's slave.

    --Charlie
  • That link about being able to swipe someone elses domain scares me. It looks as if anyon registered through Network Solutions is vunerable...

    Has anyone tried this?

    ...and I'm not sure we should trust this Kyle Sagan either.
  • by account_deleted ( 4530225 ) on Friday October 20, 2000 @04:49AM (#689854)
    Comment removed based on user account deletion
  • we aren't resistant to reading so much . Imagine following all those links.
  • by Anonymous Coward on Friday October 20, 2000 @04:54AM (#689856)

    The following links are some that i've come across. They are rather interesting at times:

    A how-to [securiteam.com] for stealing someone's domain name, which was a ddresed in the article [nwfusion.com]. Furthermore, the specs for these protocols [ipv6.org] and implementations can be found here [isc.org] and here [isc.org]. There was also a critical interview calling for the implementation of these more secure systems in order to prevent the holes in the current system.. [internetnews.com]

  • by Cihl ( 241861 )
    Does this mean i won't be able to quit my day job?
  • Can I use DNSSEC today? Have the registrars announced any kind of plan or timeline for implementing it?
  • by Anonymous Coward
    The Internet has been around now for what, 20 years? In all that time, it has been running on IPv4, and we havn't run into any problems.

    As far as i can see, IPv6 doesn't have any benefits over IPv4. The only benefit i can see is that service providers will need to update their equiptment to deal with IPv6, and help line the pockets of Cisco et. al.

    I'm left wondering if i have missed something here? Whats so great about IPv6, if we've done without it so far? Or is IPv6 just an incrental upgrade to IPv4 (What happened to IPv5 anyway?)

    T. Lee
  • Simply because there is limmited amount of IPs available today under IPv4 scheme. That is why it is hard to get more than class C of IPs at the time. And even that is getting harder and harder. And with internet aware home appliances (each with its own IP) 2^32 IPs will not be enough anyway. That is why IPv6 was introduced its is basically 2^64 different IPs and this should last for a long time.
  • by AFCArchvile ( 221494 ) on Friday October 20, 2000 @04:55AM (#689861)
    "The urgent need (by Nike anyway, heh-heh) to forestall easy domain hijacking could be the sleeper issue that finally ushers in universal implementation of IPv6."

    The only way that IPv6 will be implemented is if all the OSes get their TCP/IP drivers updated (unless this thing is backwards compatible, which doesn't seem to be the case implied by the drastic changes). The current IP standard has a possibility of letting you access a little over 4 billion IP addresses. Since there's 6 billion people on the Earth, and the initiative has been set to give every person at least some kind of access to the 'net, this does need to be updated. But what does this mean? Will subnet masks now resemble 511.511.511.0? Or something similar?

    Hopefully, this will be implemented seamlessly, with just a simple driver update. However, I personally think that Nike deserved getting its back orifice reamed; after all, they're the company that has a starting salary of $0.08 an hour.

  • I must be a moron. I can't get NetSol to change my contact information, delete a domain, or change the technical contact info on a domain.

  • Even telco's understand the need for IPv6. They themselve have problems getting new IP addresses. And when internet aware devices will hit the market, and you will need 10 or 15 IPs per household - IPv4 will not be able to hand that.
  • OK, I haven't tried this yet, but judging from the manpages, IPv6 will simply be a new domain value when you create a new socket. It would take more braindamage than I can imagine anyone being capable of not to have a smart little option somewhere, in every networking program, to let the user select v4/v6. Even client programs that won't let you select what server to connect to will include this as an option. It's not even a 5-minute hack (OK, maybe it's gonna take some time to find all calls to socket() - unless they're using a wrapper function for it) to do this. The transparency is good as built-in. (Sure, they'll need different host_addrs - big surprise ...)
    OK, to sum it up: When programs are converted to use IPv6, they just leave the old code in for compatibility. One cmdline param or one checkbox - that's the "awkward if not impossible" transparency. (OK, you'll need proxys between the two nets ... but I wouldn't be surprised to find that in routers a few miles down the road ....)
  • This is honestly not a troll: I am curious on how IPv6 would eliminate domain hijacking. I know a small amount about the implementation of IPv6, but I don't see any immediate solution to this social engineering problem.
  • I had a lot of problems last year trying to get NSI to change my DNS servers, but in the last few months I've had to deal with them again quite a bit, and the process has worked much much better.

    Perhaps competition is actually working?

  • And it's not just the OS. My understanding is that all the applications have to be rewritten to accomodate the bigger ip addresses. Most programs store ip addresses in an unsigned long, they'll have to be fixed.

    Come to think of it, it'd be nice, if the OS did support IPV6, and somehow we could write our applications now for longer ip addresses, and have them run either way. Even on Linux, switching to IPV6 requires recompiling or recoding all your net applications. (Last I looked.)
  • Some ISP's (like my own [visi.com] - Twin Cities) are pretty decent about rates for static IP's, and just about every DSL account has one. For $20/mo. over their $22 272k/640k service, you can have up to eight IP addresses, 5 usable because it is not bridged.

    The required equipment (a Cisco 675 DSL router) cost $50 when I signed up with the former U S West, plus the $75 setup fee. However, thanks to the suggestion of my ISP, I was able to get an Intel 10/100 NIC for free by saying that I didn't have one, and I got a $100 rebate a few months later. $25 for a DSL router with firewalling and a $40 NIC is a GOOD deal.

    My net cost per month is ~$65 -- $30 to Qwest, and the amortized cost of ISP service is something like $35 after a subscription discount. Sure, it might be a little spendy, but with the quality of service I get, I most definitely would say that I am FAR from being sodomized.

    Oh, but it's sooo tempting to get a hookup from these guys [onvoy.com]. It's only one static IP, but ooohhh... 1.5Mbit for $90/mo. doesn't seem too outrageous, and their backbone is every bit as good as the one I use right now [visi.com].

    Excuse me, I need to go clean myself off...

    end comment */

  • Is that a troll or what ?
  • Yeah, and when I submitted this news to slashdot, they rejected it - twice. It was taken/assigned to a company in China, and the damage seemed to last about 24 hours or so. No ftp.adobe.com, no cgi.adobe.com, no store.adobe.com. Pretty much dead in the water except for marketing fluff on the website. Repeated calls to various levels at Adobe were just stonewalled. After 3 hours, I got a few calls back from various people with varying degrees of knowledge of the situation. No one would explain *exactly* what happened, but 2 confirmed that it did involve a Chinese company. I'd be wary of dealing with a company that had so many levels of apparently clueless people as the main line public contacts.
  • Bind 9 supports both IPv6 and DNSSEC. But you don't have to use IPv6 to use DNSSEC, so I don't see how this helps IPv6 deployment.

    Don't get me wrong - I want to see IPv6 deployed, and run an IPv6-enabled domain (running FreeBSD), but whilst having a IPv6 enabled DNS server is a necessity, DNSSEC isn't going to affect IPv6, either for or against.

    If you want IPv6, you need to hope Microsoft don't delay Whistler again - that will make the biggest difference to getting ISPs to start thinking about deployment.

  • You are going to need an IP for work, for home, for your car, for you PDA, for your cell phone, and for the multitude of things that we have yet to invent that will need an IP.
  • Comment removed based on user account deletion
  • it happened to me last year. the fucker got my domain and asked me to send him my credit card info so that he could charge $200 to it, before he would give me the domain back. needless to say, i didn't play.

    NSI came around, after a week of faxes, emails and threatening phone calls from me and my lawyer.

    the FBI wouldn't help because i couldn't honestly say i'd lost more than $5000 in the time my domain was out of my control.

    -c
  • Comment removed based on user account deletion
  • Win2K doesn't support DNSSEC at all, at least not in the traditional sense. It supports transaction security (mostly used to authenticate dynamic updates), using a method incompatible with IETF standards (including their own spec, interestingly). If MS actually documents what they're doing, bind will support it (at some point).

    DNSSEC authentication is fully dependent on clients. Servers can give out digital signatures, but clients must be configured to authenticate them for them to be useful. So, if MS doesn't implement DNSSEC, that means that MS clients wouldn't notice spoofing, but others might.

  • Why do you think switching (or routing) IPv6 is easier than switching IPv4? The only improvement at this level claimed by IPv6 is a stricter address allocation hierarchy. So routing tables might be smaller in the long run. As far as I can see, it's always going to be easier to route IPv4 packets than IPv6 packets, given an equal number of routing entries, simply because of the smaller address size.
  • Thanks for replying. btw, I went to your home page and your link to nai.com about DNS security is broken...

    Anyway, what I meant by spoofing was in the sense that if I ran bind 9 and wanted to allow MS clients to use DDNS, I couldn't use MSes security procedure so I'd have to rely on authentication by IP address range only, which someone could spoof and cause wrongful updates to my DNS server... not a pretty thing to think about...

  • There are two more common problems in addition to the ones mention:

    1. If you use MAIL FROM authentication, make sure you reply to the Reply-To: address, not the From: address. (And change to using CRYPT-PW authentication -- the MAIL FROM stuff is not secure as this thread shows.)
    2. The default template generated for changes specifies MAIL FROM authentication, but that is in no way related to the actual authentication in use. If you've forgotten that you're using CRYPT-PW authentication, you will get no clue from the template or from the failure messages.

    Note that the password is insecure as well since it's sent in the clear when used, twice in the clear if you let it generate the template and mail it to you. Also the encryption algorithm leaves quite a bit to be desired, but that's off topic.

  • If you cut and pasted from a calculator, you were probaly using Windows. And you should be shot immediately.

  • I don't want to put a new system into place that creates the next Network Solutions.

    Don't worry. The responsibility belongs to the current Network Solutions, er, I mean VeriSign Global Registry. That's why DNSSEC is about as useful as tits on a boar hog. Exactly nothing has been done to set up the PKI required to make DNSSEC useful, and it looks like exactly the same will be done for the forseeable future.

    My guess is that ordinary DNS and IPv4 will be still operating the vast majority of the Internet for the next ten years, at the very least.

  • by Cihl ( 241861 ) on Friday October 20, 2000 @04:57AM (#689882) Homepage
    You forgot the sheer lack of unique IP-adresses.

    (i'm going to use cut&paste from a calculator now :)

    IPv4 has a 32-bit address-range (duh!) which means there are 4,294,967,296 different addresses. Give everyone on earth a unique address, and there won't be enough of them already! If everyone were to connect their coffee makers, tv-sets and such; well, you see my point.

    IPv6, on the other hand, has a 128-bit (!) address-range instead. This'll give us 3,4028236692093846346337460743177e+38 addresses. This leaves enough room for everybody, including their home/work-appliances, for at least the next 10 years. ;)

    THAT's the *real* difference.

  • What's going to usher in IPv6 is the scarcity of IPv4 addresses. At the present growth rate of the internet, a 32-bit address space isn't going to give us enough for much longer. There's so much infrastructure and investment in the present system that it takes a crisis like that to blow thru the barriers. It's a large-scale version of what happened when the U.S. finally went to area codes that had middle digits other than 0 or 1. A lot of PBX owners were rending their garments over it, but it finally happened.
  • OK, this is basically me second time reading about DNSSEC. What i want to know is this: if all our DNS servers are going to have public/private keys and certs like SSL web servers, who is going to be the certificate authority?

    Will we have to pay another few hundred bucks to Verisign and the like for EVERY DNS server? Or is there going to be a cheap or publicly run system for certifying DNSSEC keys?

    I don't want to put a new system into place that creates the next Network Solutions.
  • Evidently, Adobe.com got redirected, too.
  • My understanding is that Network Solutions will be cretificate authority. Of course, they haven't implemented this yet, so DNSSEC is pretty useless at the moment.
  • Hijacking web pages is the easiest thing in the world to do!!! In fact, I'm hijacking this thread right now. You are a captive reader to what I am saying and you can't leave until I get done typing!!! So, to prove my point, I will now ramble on Katz-like about the fact that only geeks can understand me because I was looked at funny when I was a kid because I'm a geek so I can install Linux now but not really because I have to post to slashdot to ask for installation help because even though I am a world renowned author (if you don't believe me, just ask me!) I can't be bothered to read the FAQ's or man pages because I'm busy being a geek. Ha! You were my prisoner for a total of ... 8 seconds! Told you so...

  • by irix ( 22687 ) on Friday October 20, 2000 @06:42AM (#689888) Journal
    Not all applications have to be re-written. There have been IPv6-compliant networking functions (inet_pton(), etc. etc.) out there for a while now, so if you have a clue you have been using them.

    Sun, who provides a dual stack (IPv4 and IPv6) in Solaris 8 has a "scrubber" utility that will help go through your code and remove IPv4 only funtions and such.

    Applications written to use the "newer" networking code work fine in IPv4 and IPv6 - like BIND9.

  • This is a constant criticism of IPv4, yet every month, more and more companies are setting up DSL service, cable modem service, and more and more businesses are registering domain names and getting little /28 subnets. All these people out there are consuming (essentially) a static address. It's not like a /24 pool of addresses is feeding 1000 dialup users. These are full time connecitons.

    So are we really running out? I mean, we won't have enough IPv4 for every person in China to have their own static IP I'm thinking, but that's also a non-issue, due to their Great Firewall. Heck, they could IPMasq the whole country! (probably do anyway).

    This sounds more and more like a "global warming" scare, or the "global cooling" scare from the 70s.

    Club of Rome, anyone?

  • And when internet aware devices will hit the market, and you will need 10 or 15 IPs per household - IPv4 will not be able to hand that.

    Bah, that's what NAT is for.

    I'm kinda scared. When people don't need NAT anymore, many of them won't bother with firewalls...


    ---
  • I don't understand how the digital signature thing is going to work, Someone hi-hacks the domain (One the get a nice denal of service attack for up to 12 hours :-) The could change all the information on the domain. Whats to stop them generating a new digital signature? May be paying for verisol [heh they should merge] to do it for them. (The could claim they lost the old one....).

    Clearly have the signature has to be registered on the root servers and half on the child. How is the root one populated? Surely it will be populated the same way the registry for .org or .net is! And they can be spoof attacked today.

    All it seems to do is to add some delay into the process, ie it takes longer to get verisol to build you a signature, anyone can spoof a company letter head! It might protect IBM or Nike, but not the little guys, cos no one knows much about them letter head wise, company offices et al.

    I hear you say it! But it will buy us time, well I had my domain jacked it took netsol 1.5 months and lots of phone calls, to return it to my possession, so it may by time, but netsol will squander it! My domain redirected to a nice p0rn site for a few days, (the guy wanted access to things for its quick return).

    PS it was jacked that way, cos I was stupid enough to have other people register it for me, I hold my own keys now, that is lession one, may sure you have the keys to your domain not some domain name business!!!! (Plus if they go bust they might take your domain with them!)

    James
  • DNSSEC [dns.net] isn't going to be the be-all, end-all for DNS. In addition to any issues with the implementation, we have the issues of any public key infrastructure. Do I trust you? Can I verify you? Should I? Layer on top of this BIND's exemplary record for security and I see nothing but problems. - technik
  • by Anonymous Coward

    What happened to IPv5 anyway?

    IPv1, IPv2, IPv3 were all destroyed during construction. IPv5 mysteriously disappeared 24 hours after being published.

  • IPv6 systems shouldn't have a problem accessing IPv4 address space. 64.28.67.48 in v4 is just ::::40:1C:43:30 in v6, and vice versa. Hell, I'd expect most apps (or even the socket layer itself) to be "user friendly" by allowing use of 0-255 for each byte field in the address and just convert it to hex, as well as assume all preceeding fields are 00 if too few are provided, as with an v4 address.

    If the protocol itself isn't backwards-compatible I see no reason why it can't just be wrapped or translated. This is probably moot anyway though, since I'd expect most sites to just run both protocols during transition.
    ---
    Where can the word be found, where can the word resound? Not here, there is not enough silence.
  • Uh, no. You've been able to run BIND on multiprocessor systems since the dawn of time. It just wasn't multithreaded before.

  • I didn't know, so that's why I put in "Or something similar?" And sure enough, someone answered that legitimately. You of all people should respect the sharing of knowledge; your ridicule indicates your closed-mindedness.
  • by Anonymous Coward
    As far as i can see, IPv6 doesn't have any benefits over IPv4.

    How about

    • Static IPs for everyone
    • Better security
    • Better support for mobile devices
    • Faster (you try switching IPv4 at 50Gb/s)
    • Quality of Service (sorta kinda)
  • by mwalker ( 66677 ) on Friday October 20, 2000 @05:25AM (#689898) Homepage
    At every IETF meeting I've been to, including the most recent one in Pittsburgh, the IPv6 discussion went like this:

    Q: Is microsoft going to support it in a release OS?
    A: No, but microsoft research has a stack in development
    Q: Does Cisco support it?
    A: We're working on it.

    Then half the room walks out the door, and all that's left is the Kame project talking about how they can tunnel their ipv6 site through ipv4 to see the dancing turtle.

    IPv6 is dead till it ships in a microsoft stack. When it does, IPv6 will be real instantly.

    And you can quote me on that.
  • I read a bit more on this here [toad.com].

    Exchanging Keys with Sub- and Super-Zones

    Other peoples' machines won't know that your zone's public key is accurate unless you have it signed by its superzone. (The superzone of e.g. "toad.com" is "com".) Similarly, if you have any sub-zones, you should get a public key from each of them, sign it, and return the signature to them.

    So i guess the "parent" is authority. And ultimately, the root servers are.

  • So that's how they're doing the new addresses. I do like the colon in place of the period: easier to type (well, sort of). Trouble is, Verizon probably won't upgrade until they must (two years after the universal acceptance and worldwide upgrade to IPv6), and I'm having problems with them disconnecting me in the middle of Counter-Strike, as well as their login server crashing constantly. Looks like I'll need to storm the substation at night and flog the regional admins.
  • I've talked to numerous people who have had this happen to them who have transferred their domains from netsol to the company I work at to avoid this happening again (http://register.gkg.net/ [gkg.net]).


    The system we have in place requires domain contacts to log in over an SSL connection to make changes to their domains, which is much safer than the email system NSI uses.

To be awake is to be alive. -- Henry David Thoreau, in "Walden"

Working...