Hello, I was just pointed at this message.
On 22 April 2015 at 12:49, Yuri Schaeffer <y...@nlnetlabs.nl> wrote: >> Replies coming from servers not supporting edns-client-subnet or >> otherwise not containing an edns-client-subnet option SHOULD be >> considered as containing a SCOPE NETMASK of 0 (e.g., cache the >> result for 0.0.0.0/0 or ::/0) for all the supported families. > > These two excerpts directly contradict in my opinion and DO make ECS > enabled resolvers vulnerable for cache poisoning. > ... > 3) attacker sends flood of spoofed responses with evil content and > without the ECS option. It has a high success rate due to the > birthday problem. So this is indeed tricky. Yes, a valid x.x.x.x/(non0)/0 response addresses birthday attack scenarios, and that should work. We've discussed this risk here quite long ago but clearly the draft needs an update. :-( If an authority is known to support ECS, a response without ECS should in fact be discarded, not treated as 0/0. This is easy to do when you work with a whitelist, though of course there's the risk of an authority (temporarily) dropping ECS support. > I'm not sure where to go from here. Not echoing the option after all > is the proper EDNS way of signalling lack of support for said option. > So dropping the option-less answer is also not a good idea. > Probably the safest, and then reissue a single query without ECS instead of continuing the flood. Cheers, -- Wilmer van der Gaast, London Traffic/Edge SRE. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
