[arin-ppml] ARIN-prop-167 Removal of Renumbering Requirement for Small Multihomers

Jimmy Hess mysidia at gmail.com
Sat May 5 13:42:41 EDT 2012


On 5/3/12, William Herrin <bill at herrin.us> wrote:
> Due respect Jimmy, read up on DNS pinning. The whole point is to hold
> the first IP address beyond the the TTL. It's the solution to a
> particularly nasty javascript vulnerability.

DNS pinning comes into play,  only for  low-TTL  records. Keep the TTL
for your DNS records  86400 or higher, and there is no pinning.

DNS Pinning is an "excuse",  not a legitimate reason not to renumber.

The specified security  function of DNS pinning for low TTL records is
to a specific prevent rebinding attack which is a time-sensitive
attack --  DNS pinning anything without a low TTL was not part of the
spec and would be uncalled for.   Noone  here has actually identified
any commonly used browser that has DNS pinning which is broken in the
manner suggested.

There is no documented proof available that specific implementations
of DNS pinning are broken, or that it is a real issue  even over a
transition staged over a substantial length of time.

Again,  browser windows don't get left open for 2 months,  let alone  6 or 12.
It is pretty much unheard of,   unless,  that browser is solely being
pointed to your one site and doing nothing else, over the entire
timeframe,  with the page constantly being loaded, for the purpose of
intentionally having an issue.

Web browsers aren't that stable,  require constant updates due to bugs
in plugins such as Flash/Acrobat,  and don't see those kinds of
uptimes, even if the browser has a broken implementation that does DNS
PIN until restart.

Heck...  Desktop OSes are not that stable,  and it is critical that
they be updated frequently;   uptimes above  30 days are rare,  6
month uptimes are almost unheard of,

And the policy provides 12 months.

It's certainly feasible to transition DNS records for 255 hosts  within 90 days,
have your IT staff provide a period of  dual-IP  of sufficient length
so that requests to the old
address become vanishingly small.

Require your IT staff to monitor requests that do come in at the old
IP address,  after a period of time,  and identify any issues,  repeat
 until all issues are gone.

And i'm sure ARIN can offer some sort of extension  to the 12 months
with good cause (?)

There is no pain whatsoever involved,  given enough time,  and 12
months is a lot of time.    Renumbering is a simple incremental
procedure.

--
-JH



More information about the ARIN-PPML mailing list