Re: Transition from 2535 to opt-in

[ted@tednet.nl (Ted Lindgreen)]

[Quoting Roy Arends, on Dec  7,  0:17, in "Re: Transition from  ..."]

> On Wed, 5 Dec 2001, Edward Lewis wrote:
> 
> > At 5:50 AM -0500 12/5/01, Ted Lindgreen wrote:
> > >OptIn: if OptIn, why not just forget NXT?
> >
> > The question of whether "authenticated denial is desired" has been answered
> > "yes" a number of times over the past year or so  The question has been
> > raised by the WG chair on the list and in person at London.  So it appears
> > that there is a desire to provide the service.  (Why?  I don't know)
> 
> Why ?
> 
> In a secured world I want cryptographic proof that somebank.info does not
> exist if asked for. Simply handing over an NXDOMAIN status doesn't cut it,
> anyone could give me that status, and there is nothing to cryptographicly
> verify. Would make a beauty of a DoS if it did.

Please note, that if you can substitude a secured RR by an NXDOMAIN,
you can probably substitude also other info.
Therefore, when a DOS attack is the goal, and substitution is
possible, there a plenty more possibilities to do that.
This is true whether we have DNSSEC or not. And if we have DNSSEC,
it can be done whether the zone is signed or not.

In fact, I am affraid that it is even easier to DoS a secured RR,
because just flipping any single bit in any of the accompagning
SIG/KEY chain will do just as fine as substituting the RR itself,
so the substitution possibilities only increase.

This seems bad, but please understand that DNSSEC was neither
designed, nor capable as defence against DoS attacks.

So, yes, there may be compelling arguments why and when authenticated
denial is desired, but defence against DoS attacks is not one of them.

Regards,
-- ted


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.