On Mon, 8 Sep 2008, Ron Bonica wrote: > Do you deny that the vulnerabilities described in this document *could* > be exploited? If this is your claim, and you can substantiate it, the WG > will entertain your objection.
I'm asserting that whatever vulnerabilities that do exist can be mitigated in ordinary ways without closing open recursors, including by BCP38. > However, if you are arguing any or all of the following, the WG will not > entertain your objection: > > - that there have only been two attacks > - that these attacks were contrived > - that the organization reporting these attacks is not credible > - that the organization reporting these attacks has not satisfied your > requests for evidence > - that there are easier ways to attack DNS > > This is because vulnerabilities need to be mitigated, regardless of > whether they have been exploited. All protocols have theoretical vulnerabilities. Your assertion that "vulnerabilities need to be mitigated, regardless of whether they have been exploited" is without basis. ICMP PING can be exploited, and is not especially mitigated by the IETF. Whatever vulnerabilities posed by open recursors can be mitigated in other, cheaper ways, without closing open recursors. This document, (and the specific action it states: closing open recursors) is not necessary to mitigate open recursor abuse. Open recursors have legitimate users and legitimate uses, especially in light of recent cache poisoning attacks. One does not want to trust someone else's recursor. Closing open recursors has an significant expense in security and cost of new servers, and should be well-justified. Your assertion that false statements, contrived attacks, discredited sources, and lack of evidence of harm, are somehow not legitimate reasons to dispute a document is also without basis, and indeed is refuted by IESG actions in TLS-AUTHZ. The fabrications made for this document amount to fraud on the public. It appears that proponents of this document are _encouraging_ exploitation of open recursors in the Rapid Enumeration Tool. (see www.dnssec.net/software) The 'recursors-are-evil' document is just a fraudulent scheme to sell DNSSEC software. Rapid Enumeration Tool (RET) by Nominet UK -------------------------------------------------------------------------------- The Rapid Enumeration Tool (RET) is designed to use DNSSEC NSEC records to enumerate quickly zone data whilst evading detection by systems which might be designed specifically to identify zone enumeration activity. It does this by using one or more open recursive resolvers to forward queries to the authoritative name servers for the zone. Each resolver is configured with its own 'personality', specifying query rates, query failure/success ratio, proportions of query types, query name decoration, etc. This allows the RET to feed queries to each resolver, that are specifically tailored to match the queries that a resolver might typically send to the authoritative name server. Unlike other NSEC resource record 'walkers', the RET does not explicitly query for NSEC RRs to walk the zone. Instead, it combines a 'walker' approach with a dictionary attack (combined with a random name generator for more awkward cases). This means that discernible artifacts in the pattern of queries that arrive at the authoritative servers should be minimised. -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop