On Aug 5, 2015, at 4:29 PM, Stephane Bortzmeyer <bortzme...@nic.fr> wrote: >> So now I can intercept a query to a site I want to attack, respond >> with a cookie, and now that site is on the supports-cookie list. >> So if it doesn’t support cookies, the cookie-supporting cache will >> see a server failure, and now that domain is offline. > > This attack requires to be on-path *and* to be active (sending > responses). In that case, you don't need cookies to do harm, just send > SERVFAIL or REFUSED responses and the resolver will stop querying the > victim (the authoritative server).
The cookie attack works for caching servers too. And it’s not clear to me that any stub resolver would remember a REFUSED. But yes, if you have a caching resolver going to an authoritative server, I suppose that what I’m describing is not a novel attack. > DNSSEC has a limit: it *detects* the false responses, it does not give > you the right one. Instead of being hijacked, the domain is DoSed. It > is an improvment but it is not sufficient. We still need channel > protection, such as SPR and/or cookies and/or TCP. You assert that we need channel protection, which is debatable, but I am arguing that even if we need channel protection, cookies don’t actually provide it.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
