Dear Dean,[Removing Jorge from the CC-list, this reply is supposed to be technical in nature. Also removing the IESG since this appears to be a WG issue, they can go back to the archives if and when relevant]
The answer to both the questions is "yes". There is still no evidencefor "no", and _still_ no one has come forward with personal knowledge ofany attacks: -Sullivan appears to have no personal knowledge of any attacks working at Afilias, and doesn't assert having personal knowledge. -Conrad says BCP38 hasn't worked (it has indeed worked--imagine if no one implemented BCP38), worked for Nomimum, and ICANN, and appears to have no personal knowledge of any attacks and does not assert personal knowledge.-Andrews works for ISC, the document author's employer. Appears to haveno personal knowledge of any attacks, and doesn't assert having any. -Maton Sotomayer works for the Canada National Research Council, and also appears to have no direct knowledge of any attacks, and doesn't assert having any. -Darcy works for Chrysler, appears to oppose the document, I think. Not one single attack has been cited where the two measures cited were actually insufficient.
I do not have first hand experience from being under attack but I have seen enough arguments that reflector attacks are not only hypothetically possible but they also happen in real life. Not only from private conversations but also from, for instance, http://staff.washington.edu/dittrich/misc/ddos/grc-syn.txt and http://www.isotf.org/news/DNS-Amplification-Attacks.pdf and references therein.
The fact that folk do not have first hand experience in being attacked does not dismis them from making an informed trade-off. For example. Fortunately, nobody in my circle of friends or family has ever been in a serious car crash. But that does not dismiss me from telling my kids that they SHOULD wear their seat belts (actually in my household it is a MUST).
An informed trade-off is what I made when reviewing the document.
To recap: For some reason that promotors can't or won't explain, they want everyone take the extreme measure to close open recursors, even thoughthis causes harm to many users through cache poisoning of recursors theycan't control.
Although I agree that universal BCP38 deployment would mitigate reflector type DDOS attacks and the Kaminsky style cache poison attacks. I also know that BCP38 is far from universally deployed.
Because I think that BCP38 deployment is not yet sufficient I support draft-ietf-dnsop-reflectors-are-evil-06. The draft as is does explain in detail what the problem is with DDOS caused by reflection and argues that "By default, nameservers SHOULD NOT offer recursive service to external networks.".
That is an instruction to us (I am wearing my NLnet Labs Hat) as software developers who ship software to be very careful in what sort of settings I present to whoever installs our software.
The document does not prevent an operator to change to a non-default setting and offer recursion to the world but allows them to make an informed decision.
DNSSEC advocates sell DNSSEC as a solution to cache poisoning. So they are making a situation worse for their own benefit and profit.
I have not seen your argument (maybe I've overlooked it) why DNSSEC advocates benefit from this draft being published. I think BCP38 has to do with it.
For what its worth if your argument is (I am guessing): BCP38 would, if it were to be universally deployed, mitigate Kaminsky style attacks. If that is the argument I would actually agree. And even though DNSSEC protects against other types of attacks as well full deployment of BCP38 might change the cost/benefit ratio for the deployment of DNSSEC. Even as a DNSSEC advocate I might be starting to sing a different tune then, but not now.
--Olaf Kolkman (NLnet Labs)
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
