On 31. 07. 24 15:56, Vladimír Čunát wrote:
On 31/07/2024 15.29, Petr Špaček wrote:
Per-zone limit does not defend against resource exhaustion because an
attacker can construct chain of delegations a.b.c.d.e...... and max
out limit on each level. Then you instantly get about 126*(per-zone
limit on validations) just for this particular attack vector.
That's part of why I think the implementations need a different approach
(than this RFC, too). Attackers can combine. Do these long delegation
chains, and jump through several of them by CNAMEs, and put max. number
of RRSIGs everywhere in a way that many fail, etc.
Indeed that's exactly what I did when we were testing our KeyTrap fixes
for BIND!
--
Petr Špaček
Internet Systems Consortium
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
