On Fri, 15 Aug 2008, David Conrad wrote:
>
> Let me try to (hopefully) more clearly articulate my question: given
> the fact that caching servers only care about DNSSEC if they're
> explicitly configured to do so, does anyone anticipate any stability/
> security concerns to those folks who _haven't_ configured DNSSEC if
> the root is signed?
There are two more problems with this.
First, Putting any kind of large record in the root creates the
opportunity to use root servers in a DOS attack by sending queries for
the large records to the root servers. Because of Root Anycasting, there
are over 100+ root servers spread around the world that will respond to
queries. A botnet distributed worldwide should be able to send queries
to most or all of these servers. Most or many of these servers have
very high bandwidth connections. Same would be true for TLD servers, and
large, high traffic domains like microsoft.com, etc. It is very hard, if
not impossible, to mitigate attacks coming from root, TLD or other
significant sites.
Second, as I start to look closer at DNSSEC, there appears to be a
problem in the DNSSEC protocol in that if caching servers don't care
about DNSSEC, then caches could store RRSIG records that are out of sync
with the RR they sign. When the security-aware resolver obtains both
records from the caching server, the resolver that finally checks one
record against the other will find that the signature doesn't match.
This scenario could happen by accident during zone updates between
master and slaves after the RR was changed, if the cache gets one RR
from the master and receives the RRSIG from another server (one might
try to avoid this by adding RRSIG records as additional, but there is
still a race on the internal representation if multiple responses are
received from different servers). Or it could happen on purpose using a
cache poisoning attack. Once the incorrect records are cached, a DOS
occurs. (its only an attack if its on purpose)
If the caching server checks the signature of all records, its
susceptible to a DOS attack by lots of DNSSEC queries that take a lot of
computation to check. Seems to be no-win.
The first problem is reason enough not to deploy DNSSEC. The second
problem is serious, too, but I think only affects DNSSEC users who have
shot themselves, other DNSSEC users, and those using DNSSEC-aware
caching servers in the foot, so to speak. Back to the drawing board?
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
