[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Transition from 2535 to opt-in

To: Ted Lindgreen <ted@tednet.nl>
Subject: Re: Transition from 2535 to opt-in
From: Roy Arends <Roy.Arends@nominum.com>
Date: Fri, 7 Dec 2001 18:21:42 +0100 (CET)
Cc: <namedroppers@ops.ietf.org>
In-Reply-To: <200112071334.fB7DYp657398@open.nlnetlabs.nl>

On Fri, 7 Dec 2001, Ted Lindgreen wrote:

> [Quoting Roy Arends, on Dec  7,  0:17, in "Re: Transition from  ..."]
>
> > On Wed, 5 Dec 2001, Edward Lewis wrote:
> >
> > > At 5:50 AM -0500 12/5/01, Ted Lindgreen wrote:
> > > >OptIn: if OptIn, why not just forget NXT?
> > >
> > > The question of whether "authenticated denial is desired" has been answered
> > > "yes" a number of times over the past year or so  The question has been
> > > raised by the WG chair on the list and in person at London.  So it appears
> > > that there is a desire to provide the service.  (Why?  I don't know)
> >
> > Why ?
> >
> > In a secured world I want cryptographic proof that somebank.info does not
> > exist if asked for. Simply handing over an NXDOMAIN status doesn't cut it,
> > anyone could give me that status, and there is nothing to cryptographicly
> > verify. Would make a beauty of a DoS if it did.
>
> Please note, that if you can substitude a secured RR by an NXDOMAIN,
> you can probably substitude also other info.
> Therefore, when a DOS attack is the goal, and substitution is
> possible, there a plenty more possibilities to do that.
> This is true whether we have DNSSEC or not. And if we have DNSSEC,
> it can be done whether the zone is signed or not.
>
> In fact, I am affraid that it is even easier to DoS a secured RR,
> because just flipping any single bit in any of the accompagning
> SIG/KEY chain will do just as fine as substituting the RR itself,
> so the substitution possibilities only increase.
>
> This seems bad, but please understand that DNSSEC was neither
> designed, nor capable as defence against DoS attacks.
>
> So, yes, there may be compelling arguments why and when authenticated
> denial is desired, but defence against DoS attacks is not one of them.

I keep hearing that statement over and over all over the place in several
ways, shape and form. "DNSSEC was not designed as a defense against DoS
attacks". When I say "beauty" of a "DoS" attack, I implied one can
actually (ab)use DNSSEC in an almost perfect way to simply kick a domain
of the planet if one would do away with authenticated denial. Note that
this is a far more efficient (several orders) of DoS attack then simply
compromising a record on the fly.

If the "DNSSEC was not designed as a defense against DoS attacks" is used
as a general statement, why aren't NXT and SIG generated on the fly ?
EXACTLY, to make sure the system will not be used against a DoS.

And why is there DNSSEC in general ? To defend against spoofs, poisons and
other DoS attacks.

It is all in the eye of the (secure) resolver. It wants some cryptographic
proof, a signed record, something to verify.

Roy Arends
Nominum

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Follow-Ups:
- Re: Transition from 2535 to opt-in
  - From: Derek Atkins <warlord@MIT.EDU>
- Re: Transition from 2535 to opt-in
  - From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>

References:
- Re: Transition from 2535 to opt-in
  - From: ted@tednet.nl (Ted Lindgreen)

Prev by Date: Re: Transition from 2535 to opt-in
Next by Date: Re: Transition from 2535 to opt-in
Prev by thread: Re: Transition from 2535 to opt-in
Next by thread: Re: Transition from 2535 to opt-in
Index(es):
- Date
- Thread