Re: V6R1 (QGPL/QUSRSYS) question.

[Lukas Beeler <lukas.beeler@xxxxxxxxxxxxxxxx>]

On Fri, Apr 23, 2010 at 14:57, Jim Oberholtzer <midrangel@xxxxxxxxxx> wrote:
> It's reasonable to point out that security is another factor in using a
> host table. ÂFor instance if you regularly move data (in any method)
> between your system and the bank or trusted trading partners one of the
> methods bad guys use to get into the middle is to hijack the DNS entry.
> Having your own address resolution for sensitive connections is not a
> bad idea. ÂStops that practice cold.

This is a not a good argument, since any sensitive data transfer will
already be secured by either SSL/TLS or SSH, and if not the host table
is going to keep the data more secure than it already is.

Also, DNSSEC will prevent DNS spoofing. It's widely deployed in
corporations yet though, and as of V6R1, the IBM i resolver doesn't do
DNSSEC yet, though if stuck behind a trusted DNSSEC-capable resolver
(e.G. WS08R2 or a current version of BIND) it will be protected.

> When I travel, I always put the sensitive addresses in my host file on
> my laptop so I know I am connecting to the correct place regardless of
> what DNS might say, since I don't know the DNS provider etc.

You also don't know who runs your IP connections, so the fixed IP
address you have might not connect you to the host you think you're
connecting.

> Paranoid, maybe, Âgood practice, I would allow debate, however many
> auditors seem to think it's a good idea.

The main issue i see with it that it doesn't work and doesn't protect
you from anything. As such it's just paranoid and certainly not a good
practice.