On 2/29/24 18:06, Paul Wouters wrote:
(If no action is taken, malicious activity might follow now that it is described, but I have not heard of a historical case of it.)
This attack was more or less described five year ago: https://essay.utwente.nl/78777/
<https://essay.utwente.nl/78777/>
They didn’t get to the same amplification levels but if attackers had been
interested, they could have picked it up as a tool to improve. scripts to run
were attached to the paper.
My take is that with the current mitigations (tolerate a very small but nonzero
number of keytag collisions), it's unlikely that this will be exploited in any
significant way, as the attacker's gain is very limited.
As has been pointed out, no such attacks have been observed in the wild,
although another flavor of it has been known for years.
Let's not assume there's a big problem unless there actually is an indication
of it. Perhaps we can leave things as they are (with current mitigations), and
only once we find that's not enough, with attacks happening and causing much
resource usage, then revisit. There's no need to do this now.
But also, a resolver that sees a higher than normal load could temporarily take
certain actions like sacrificing zones with key tag collisions. It doesn’t mean
it ALWAYS has to do it.
Exactly.
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
