On Sat, 7 Sep 2013, Aaron Campbell wrote:
On 2013-09-06, at 1:42 PM, Robert Edmonds <[email protected]> wrote:
Aaron Campbell wrote:
Here is a thought, but I will defer to the protocol experts on plausibility. The
resolver knows the size of each DNS message it parses. What if it didn't trust
glue records contained within large (i.e., > 1400 bytes or so) responses? In
these cases, the resolver sends a separate query to resolve the dangling authority
NS records. This introduces overhead, but only for large replies. It also makes
a few assumptions, namely that the fragmentation point is something around 1500
bytes (and not something lower), and that the attack is only practical against the
glue records, not the authority section. May be able to play games with name
compression there though… perhaps it is as least worth discussing as an additional
barrier.
this sounds vaguely similar to unbound's "harden-referral-path" option,
though it applies to all lookups.
I researched this, and found that it was first described here:
http://tools.ietf.org/html/draft-wijngaards-dnsext-resolver-side-mitigation-01#section-3.3
The option is currently marked "experimental" due to not being RFC standard,
and performance concerns. If the option were applied only to large responses
(specifically to mitigate this type of attack), that would reduce the performance impact.
This option has been enabled for years in the RHEL/EPEL and Fedora
standard configurations of unbound.
Paul
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
