On 18 Aug 2008, at 00:43, Dean Anderson wrote:
First, Putting any kind of large record in the root creates the
opportunity to use root servers in a DOS attack by sending queries for
the large records to the root servers.
Well in that case we better not put anything into any DNS zone.
Because a botnet that's in a net that doesn't do proper egress
filtering could use spoofed source addresses to generate lots of DNS
responses from any decent authoritative server infrastructure for a
(D)DoS attack. The actual size of the DNS responses doesn't matter.
What's the difference between 50 million DNS responses of 1 Kb each
and 500 million of 100 bytes? In other words, if the botnet's not big
enough to do the necessary damage, just get a bigger one.
Second, as I start to look closer at DNSSEC, there appears to be a
problem in the DNSSEC protocol in that if caching servers don't care
about DNSSEC, then caches could store RRSIG records that are out of
sync
with the RR they sign.
This makes no sense. If caching servers don't care about DNSSEC, why
would they be storing RRSIGs? Please explain. And why would these
caching servers be signing anything? It's the master server that signs
the zone.
I suspect you're talking about the absurdly hypothetical scenario
where someone gets a non DNSSEC-aware resolving server to lookup some
RRSIG, then the zone is resigned, then they ask that server for the
QTYPE that the already cached RRSIG once signed. If that's the
situation you've dreamt up, so what? Have you read and actually
understood RFC3225? Nobody's going to get that cached RRSIG unless
they query the caching server with the DO bit set. Which the server
will ignore because it doesn't care about DNSSEC. So it won't send a
response containing the cached RRSIG. Now if that resolving server
does pay attention to the DO bit, it will set it on the query it makes
to the authoritative server. That makes the authoritative server
return an answer which will contain the new RRSIG and the resolving
server's cache is updated accordingly.
Even if you're talking about some other scenario, your concern is
still unjustified. Whatever contrivance you've invented will be no
different from the case where a resolving server queries a slave that
hasn't yet picked up the latest version of the zone from the master
server. Which can happen irrespective of whether DNSSEC is used or
not. The DNS is a loosely coherent distributed database after all.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
