[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-dnsext-forgery-resilience-01.txt

To: Paul Vixie <paul@vix.com>
Subject: Re: draft-ietf-dnsext-forgery-resilience-01.txt
From: bert hubert <bert.hubert@netherlabs.nl>
Date: Mon, 12 Nov 2007 16:45:35 +0100
Cc: namedroppers@ops.ietf.org
In-reply-to: <27988.1194879471@sa.vix.com>
References: <20071110214233.GB8260@laperouse.bortzmeyer.org> <87sl3biytx.fsf@mid.deneb.enyo.de> <27988.1194879471@sa.vix.com>
User-agent: Mutt/1.5.9i

On Mon, Nov 12, 2007 at 02:57:51PM +0000, Paul Vixie wrote:
> > > a link from section 9 "Implementations SHOULD use good random source
> > > to select a Query ID"
> > 
> > There is no industry consensus that this is a good idea.
> 
> agreed.  there's no consensus that even a ~31 bit pseudo random combination
> of source port and query ID is good enough to have confidence that any given
> answer was really received from a purported server.

That is correct. The intent of this draft is not to generate the end-all of
DNS security - that might well be DNSSEC, or as you call it 'Secure DNS'.

The intent of this draft is to raise the security bar for the interim period
until DNS gets real cryptography. The draft states as much:

	The current internet climate poses serious threats to the Domain
	Name System.  In the interim period before the DNS protocol can be
	secured more fully, measures can already be taken to make 'spoofing'
	a recursing nameserver many orders of magnitude harder.

	Even a cryptographically secured DNS benefits from having the
	ability to discard bogus answers quickly, as this potentially saves
	large amounts of computation.

> you could say something like "Implementations SHOULD NOT use query-ID schemes
> for which a proof of concept has demonstrated trivial predictability and easy
> cache pollution.  NOTE WELL that the definition of 'trivial' changes every
> year, and that nothing short of Secure DNS can provide confidence in answers."

Should an implementation chose to use a random generation scheme that
turns out to be predictable, it should be obliged to shift to one that is
not. So the definition of 'trivial' or any other qualifying modifier should
not be a problem.

The upshot of it all is that the chosen query-ID (and source port) SHOULD
NOT be easily predictable.

And I'm sure there is "industry consensus" that having an easily predictable
query-ID is not a good thing.

	Bert

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Paul Vixie <paul@vix.com>

References:
- draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: draft-ietf-dnsext-forgery-resilience-01.txt
  - From: Paul Vixie <paul@vix.com>

Prev by Date: Re: draft-ietf-dnsext-forgery-resilience-01.txt
Next by Date: Re: draft-ietf-dnsext-forgery-resilience-01.txt
Previous by thread: Re: draft-ietf-dnsext-forgery-resilience-01.txt
Next by thread: Re: draft-ietf-dnsext-forgery-resilience-01.txt
Index(es):
- Date
- Thread