On Sat, Oct 10, 2020 at 11:34:11AM -0400, John Levine wrote: > In article <20201010032517.gm89...@kduck.mit.edu> you write: > >There's two general classes of attack to consider: when an external > >attacker takes an existing ZONEMD and tries to modify the associated zone, > >or when the zone provider is the malicious entity that wants to provide > >different content to different people but give them the same digest value ... > > I think there's a third threat, a transcription error due to > transmission error or other kinds of bitrot. I send zone files between > my DNS servers over ssh, so the chances of an external attack are low, > but particularly as zone files continue to grow, the protection of the > TCP checksum is less effective. On my rather small DNS setup I have a > 71MB zone and I don't think that's unusual. In many, probably most, > cases a bit flip or two would produce DNS data that is still valid but > wrong, e.g., change the address in AAAA or the characters in a name > anywhere.
At risk of being overly glib, "Murphy is often a very effective attacker". That is, the analysis for this decomposes into a subset of the first case I listed. -Ben > That's why there are situations where a zone digest can be useful > even without a DNSSEC validation chain. > > R's, > John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
