Or one can use TSIG with a well known key to get a cryptograph hash of the response. Below is how how the servers for the Alexa to 1 Million handle unexpected TSIG. It’s well under a day to add this to a recursive server that supports TSIG already. It’s a couple of minutes of configuration time to add it to a authoritative server that supports TSIG already.
Count, without WKK, with WWK. https://ednscomp.isc.org/compliance/alexa1m-tsig-wkk.txt 2019-02-24T00:00:05Z 2 dns=ok dnswkk=eof 39 dns=failed dnswkk=failed 348 dns=ok dnswkk=formerr,notsig 65 dns=timeout dnswkk=formerr,notsig 10 dns=nosoa,noaa dnswkk=formerr,notsig 7 dns=servfail dnswkk=formerr,notsig 3 dns=formerr dnswkk=formerr,notsig 3 dns=nosoa,noaa,rd dnswkk=formerr,notsig 3 dns=refused dnswkk=formerr,notsig 2 dns=noaa dnswkk=formerr,notsig 1 dns=nxdomain dnswkk=formerr,notsig 9 dns=ok dnswkk=formerr,notsig,opt (non RFC compliant: OPT record in response) 2 dns=refused dnswkk=formerr,notsig,opt (non RFC compliant: OPT record in response) 786 dns=ok dnswkk=formerr,tsig-bad-sig (non RFC compliant: TSIG record in response) 33 dns=refused dnswkk=formerr,tsig-bad-sig (non RFC compliant: TSIG record in response) 6 dns=servfail dnswkk=formerr,tsig-bad-sig (non RFC compliant: TSIG record in response) 3 dns=noaa dnswkk=formerr,tsig-bad-sig (non RFC compliant: TSIG record in response) 3 dns=timeout dnswkk=formerr,tsig-bad-sig (non RFC compliant: TSIG record in response) 1 dns=ok dnswkk=formerr,tsig-bad-sig,proxy (non RFC compliant: TSIG record in response) 9 dns=rd dnswkk=formerr,tsig-bad-sig,rd (non RFC compliant: TSIG record in response) 156 dns=refused dnswkk=malformed (non RFC compliant: malformed) 135 dns=ok dnswkk=malformed (non RFC compliant: malformed) 38 dns=servfail dnswkk=malformed (non RFC compliant: malformed) 13 dns=malformed dnswkk=malformed (non RFC compliant: malformed) 13 dns=timeout dnswkk=malformed (non RFC compliant: malformed) 10 dns=nosoa dnswkk=malformed (non RFC compliant: malformed) 8 dns=nxdomain,ad dnswkk=malformed (non RFC compliant: malformed) 3 dns=nosoa,noaa dnswkk=malformed (non RFC compliant: malformed) 4 dns=ok dnswkk=noerror,badkey,nosoa,noaa (non RFC compliant: rcode != NOTAUTH) 4 dns=ok dnswkk=noerror,badkey,tsig-wrong-alg,nosoa,noaa (non RFC compliant: rcode != NOTAUTH) 3 dns=ok dnswkk=noerror,badkey,tsig-wrong-alg,tsig-bad-time,nosoa,noaa (non RFC compliant: rcode != NOTAUTH) 142252 dns=ok dnswkk=notauth,badkey 2483 dns=refused dnswkk=notauth,badkey 694 dns=servfail dnswkk=notauth,badkey 369 dns=timeout dnswkk=notauth,badkey 295 dns=nosoa,noaa dnswkk=notauth,badkey 176 dns=rd dnswkk=notauth,badkey 43 dns=nosoa dnswkk=notauth,badkey 9 dns=noaa dnswkk=notauth,badkey 2 dns=nxdomain dnswkk=notauth,badkey 2 dns=opt dnswkk=notauth,badkey 2 dns=refused,rd dnswkk=notauth,badkey 5 dns=opt dnswkk=notauth,badkey,opt (non RFC compliant: OPT record in response) 318 dns=ok dnswkk=notauth,badkey,proxy 6 dns=refused dnswkk=notauth,badkey,proxy 3 dns=servfail dnswkk=notauth,badkey,proxy 2 dns=nosoa,noaa dnswkk=notauth,badkey,proxy 2 dns=timeout dnswkk=notauth,badkey,proxy 1 dns=rd dnswkk=notauth,badkey,rd,proxy (non RFC compliant: RD=1 in response) 8238 dns=ok dnswkk=notauth,badkey,tsig-bad-time 159 dns=refused dnswkk=notauth,badkey,tsig-bad-time 118 dns=servfail dnswkk=notauth,badkey,tsig-bad-time 37 dns=nosoa,noaa dnswkk=notauth,badkey,tsig-bad-time 30 dns=rd dnswkk=notauth,badkey,tsig-bad-time 17 dns=timeout dnswkk=notauth,badkey,tsig-bad-time 3 dns=noaa dnswkk=notauth,badkey,tsig-bad-time 2 dns=nosoa dnswkk=notauth,badkey,tsig-bad-time 31 dns=ok dnswkk=notauth,badkey,tsig-bad-time,proxy 2 dns=nosoa,noaa dnswkk=notauth,badkey,tsig-bad-time,proxy 1 dns=refused dnswkk=notauth,badkey,tsig-bad-time,proxy 27 dns=ok dnswkk=notauth,badkey,tsig-bad-time,tsig-bad-fudge 105 dns=ok dnswkk=notauth,badkey,tsig-wrong-alg 5 dns=nosoa,noaa dnswkk=notauth,badkey,tsig-wrong-alg 1 dns=ok dnswkk=notauth,badkey,tsig-wrong-alg,proxy 30 dns=ok dnswkk=notauth,badkey,tsig-wrong-alg,tsig-bad-time 11401 dns=ok dnswkk=notauth,notsig (non RFC compliant: NOTAUTH without TSIG) 278 dns=refused dnswkk=notauth,notsig (non RFC compliant: NOTAUTH without TSIG) 82 dns=timeout dnswkk=notauth,notsig (non RFC compliant: NOTAUTH without TSIG) 18 dns=nosoa,noaa dnswkk=notauth,notsig (non RFC compliant: NOTAUTH without TSIG) 5 dns=servfail dnswkk=notauth,notsig (non RFC compliant: NOTAUTH without TSIG) 2 dns=nxdomain dnswkk=notauth,notsig (non RFC compliant: NOTAUTH without TSIG) 2 dns=reset dnswkk=notauth,notsig (non RFC compliant: NOTAUTH without TSIG) 1 dns=nosoa dnswkk=notauth,notsig (non RFC compliant: NOTAUTH without TSIG) 445 dns=ok dnswkk=notimp,notsig 45 dns=refused dnswkk=notimp,notsig 2 dns=notimp dnswkk=notimp,notsig 2 dns=timeout dnswkk=notimp,notsig 41201 dns=ok dnswkk=notsig 284 dns=timeout dnswkk=notsig 33 dns=servfail dnswkk=notsig 15 dns=opt dnswkk=notsig 6 dns=refused dnswkk=notsig 4 dns=noaa dnswkk=notsig 2 dns=malformed dnswkk=notsig 1 dns=cd dnswkk=notsig 1 dns=nosoa,noaa,rd dnswkk=notsig 3 dns=cd dnswkk=notsig,cd 1 dns=ok dnswkk=notsig,cd 54 dns=noaa dnswkk=notsig,noaa 13 dns=ok dnswkk=notsig,noaa 4 dns=opt dnswkk=notsig,noaa 3 dns=noaa,rd dnswkk=notsig,noaa,rd 123 dns=nosoa dnswkk=notsig,nosoa 3 dns=nosoa,noaa,rd dnswkk=notsig,nosoa 2 dns=nosoa,noaa dnswkk=notsig,nosoa 311 dns=nosoa,noaa dnswkk=notsig,nosoa,noaa 78 dns=nosoa,noaa,rd dnswkk=notsig,nosoa,noaa,rd 8 dns=ok dnswkk=notsig,nosoa,noaa,rd 3 dns=nosoa dnswkk=notsig,nosoa,noaa,rd 5 dns=nosoa,rd dnswkk=notsig,nosoa,rd 15 dns=opt dnswkk=notsig,opt 1 dns=timeout dnswkk=notsig,opt 1 dns=opt,cd dnswkk=notsig,opt,cd 1 dns=nosoa,noaa dnswkk=notsig,opt,nosoa,noaa 27 dns=rd dnswkk=notsig,rd 6 dns=timeout dnswkk=notsig,rd 21 dns=nxdomain dnswkk=nxdomain,notsig 3 dns=ok dnswkk=ok 121 dns=ok dnswkk=refused,badkey (non RFC compliant: rcode != NOTAUTH) 20 dns=servfail dnswkk=refused,badkey (non RFC compliant: rcode != NOTAUTH) 19 dns=refused dnswkk=refused,badkey (non RFC compliant: rcode != NOTAUTH) 1 dns=nosoa,noaa dnswkk=refused,badkey (non RFC compliant: rcode != NOTAUTH) 1 dns=timeout dnswkk=refused,badkey (non RFC compliant: rcode != NOTAUTH) 5 dns=refused dnswkk=refused,badkey,tsig-bad-time (non RFC compliant: rcode != NOTAUTH) 996 dns=refused dnswkk=refused,notsig 2 dns=ok dnswkk=refused,notsig (non RFC compliant: REFUSED when plain DNS not REFUSED) 33 dns=refused dnswkk=refused,tsig-bad-sig (likely non RFC compliant) 1 dns=ok dnswkk=reset 1 dns=reset dnswkk=reset 1258 dns=ok dnswkk=servfail,notsig (non RFC compliant: SERVFAIL when plain DNS not SERVFAIL) 139 dns=servfail dnswkk=servfail,notsig 21 dns=refused dnswkk=servfail,notsig (non RFC compliant: SERVFAIL when plain DNS not SERVFAIL) 10 dns=nosoa,noaa dnswkk=servfail,notsig (non RFC compliant: SERVFAIL when plain DNS not SERVFAIL) 10 dns=timeout dnswkk=servfail,notsig (non RFC compliant: SERVFAIL when plain DNS not SERVFAIL) 2 dns=nxdomain,soa dnswkk=servfail,notsig (non RFC compliant: SERVFAIL when plain DNS not SERVFAIL) 1 dns=noaa dnswkk=servfail,notsig (non RFC compliant: SERVFAIL when plain DNS not SERVFAIL) 1 dns=rd dnswkk=servfail,notsig (non RFC compliant: SERVFAIL when plain DNS not SERVFAIL) 48 dns=ok dnswkk=servfail,tsig-bad-sig (non RFC compliant: SERVFAIL when plain DNS not SERVFAIL) 9 dns=servfail dnswkk=servfail,tsig-bad-sig 17621 dns=timeout dnswkk=timeout 1305 dns=ok dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 22 dns=refused dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 6 dns=servfail dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 5 dns=malformed dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 4 dns=rd dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 2 dns=nosoa dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 2 dns=nosoa,noaa dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 2 dns=nosoa,noaa,rd dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 1 dns=nosoa,rd dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 1 dns=opt dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 46 dns=ok dnswkk=tsig-bad-sig 4 dns=timeout dnswkk=tsig-bad-sig 4 dns=update dnswkk=tsig-bad-sig 7 dns=nosoa dnswkk=tsig-bad-sig,nosoa 1 dns=timeout dnswkk=tsig-bad-sig,nosoa 1 dns=nosoa,noaa dnswkk=tsig-bad-sig,nosoa,noaa 1 dns=ok dnswkk=tsig-not-last,tsig-bad-sig (non RFC compliant: TSIG not last record in additional section) > On 1 Mar 2019, at 11:14 pm, fujiw...@jprs.co.jp wrote: > > Dear DNSOP, > > I submitted draft-fujiwara-dnsop-fragment-attack-01. > > https://tools.ietf.org/html/draft-fujiwara-dnsop-fragment-attack-01 > > It summarized DNS cache poisoning attack using IP fragmentation > and countermeasures. > > If the draft is interested, I will request timeslot at IETF 104. > > I think it is time to consider to avoid IP Fragmentation in DNS. > It is possible to avoid IP fragmentation as much as possible. > > It is not good that DNS is the biggest user of IP fragmentation. > > Regards, > > -- > Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp> > > A new version of I-D, draft-fujiwara-dnsop-fragment-attack-01.txt > has been successfully submitted by Kazunori Fujiwara and posted to the > IETF repository. > > Name: draft-fujiwara-dnsop-fragment-attack > Revision: 01 > Title: Measures against cache poisoning attacks using IP > fragmentation in DNS > Document date: 2019-03-01 > Group: Individual Submission > Pages: 13 > URL: > https://www.ietf.org/internet-drafts/draft-fujiwara-dnsop-fragment-attack-01.txt > Status: > https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-fragment-attack/ > Htmlized: > https://tools.ietf.org/html/draft-fujiwara-dnsop-fragment-attack-01 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-fujiwara-dnsop-fragment-attack > Diff: > https://www.ietf.org/rfcdiff?url2=draft-fujiwara-dnsop-fragment-attack-01 > > Abstract: > Researchers proposed practical DNS cache poisoning attacks using IP > fragmentation. This document shows feasible and adequate measures at > full-service resolvers and authoritative servers against these > attacks. To protect resolvers from these attacks, avoid > fragmentation (limit requestor's UDP payload size to 1220/1232), drop > fragmented UDP DNS responses and use TCP at resolver side. To make a > domain name robust against these attacks, limit EDNS0 Responder's > maximum payload size to 1220, set DONTFRAG option to DNS response > packets and use good random fragmentation ID at authoritative server > side. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
