On Sun, Jan 18, 2015 at 11:28:44AM +0100, Stephane Bortzmeyer wrote: > On <http://www.spiegel.de/media/media-35658.pdf> p. 9 (NSA slides, > leaked to the press), the DNS resolution process is strange, as if > recursion, instead of iteration, were used by all DNS servers of the > world, including the root name servers. Too much haste in using > PowerPoint? Ignorance? Deliberate attempt to obfuscate the issue? > > I'm trying to find out if this NSA attack is a good use case for > DNSSEC.
I believe you're asking the question: Would DNSSEC create 'no-go zones' for certain types of attacks? (Apologies for the pun. :) Absent some other unknown attack, real-time spoofing attacks require pre-Kaminsky resolution logic (no SPR, no 0x20, perhaps even lack of RFC 2181 handling logic, or misplaced reliance on djb dnscache, which is readily poisonable, etc.) >From my own sinkhole authority resolvers, some 10-15% of recursives still don't appear to do SPR, (or equivalently have their SPR flattened out by CGN equipment). I suspect they are trivially vulnerable to a variety of off-path attacks. A ccTLD or popular authority would likely see a larger sampling of the world's recursives, but I suspect my view is representative of an Internet-wide average. I do note that some types of activities, e.g., torrent use, tend to sample from recursives that are more secure. So while DNSSEC would help avoid off-path DNS attacks, so would SPR, 0x20, etc. One could say DNSSEC would help, but one could also say that its adoption would be slow, given the lack of SPR is some recursives. Other complications appear: From what I read in the press, some of the DNS attacks were used to repurpose botnet infections. It seems unlikely that botmasters will sign their C&C zones. Ironically, small portions of the security community seem opposed to DNSSEC, usually based on misunderstandings of the technology, misperceptions about governement control of zsks, or for unstated commercial competitive reasons, etc. This opposition, most prominent in the penetration testing communities, might persaude fewer sites to sign their zones, and fewer recursives to update old software. In any event, I believe botnet C&C zones are unlikely to be signed. (So in that case, DNSSEC would help, but would never be used, due to misperceptions and suspicion.) I suspect qname minimization would also help, in an unusual way. While I'm clearly guessing, it would seem to make targetting more difficult (depending on the qname structure one hoped to poison, of course). So real-time attacks against mail.$TARGET.$TLD would not be able to distinguish the recursive's delegation chase for low-value-image-cache.$TARGET.$TLD. Presumably this makes things more difficult: (a) attackers either have to insert NS records and answer for the entire zone, and not just the inserted A records discussed in press articles; and (b) this potentially introduces another hop length (for the NS substitution)---an important factor in spoofing, packet-races, and other time-critical attacks. Summary: Does DNSSEC help? In general, yes; but only if used. (Validation stops spoofing.) I suspect this is also true of qname minimization. (Parsimonious revelation of qnames during delegation discovery may obscure the iterating recurisve targets, or complicate their subversion by requiring whole-zone substitution by the attacker.) -- David Dagon da...@sudo.sh D970 6D9E E500 E877 B1E3 D3F8 5937 48DC 0FDC E717 _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
