One thought on DNSSEC and this attack. DNSSEC couldn't have prevented this attack, as anyone authorized to update the .com zone for a domain can update the DS records just as easily as the NS+glue records. And the attack could have done orders of magnitude more damage.
Yet DNSSEC can create an anomaly that may prove useful: If the DS changes but the NS+glue does not, or the NS changes but the DS does not, this is a legit change from the registrar viewpoint as someone needs to change BOTH to be more than just a DOS on the domain. But if BOTH the DS and NS+glue records for a domain change in a single event, this is NECESSARY for an attack that is more than a DOS, yet it is NOT NECESSARY for a migration (as a migration can change one and then the other). How does the following policy strike people for DNSSEC recursive resolvers which perform validation: Keep all seen DS and PARENT NS+glue RRSETs in a much-longer-than-normal (2 day timeout) cache. When the DS or parent NS+glue RRSET changes, record that change (but still note the old version) in the cache. If the other one changes, mark that domain as bogus until either 2 days pass from the first change OR one or the other changes back to the older value. What this accomplishes: Registrar hijacks are no longer silent in the face of DNSSEC: it will result in a DOS on the domain rather than full control. The protection is temporary, and is assuming that the registrar will be straightened out in two days. Which is probably a reasonable assumption since registrar hijack is now producing a DOS on the domain (making it visible) if its all done at once. If the attacker first changes one and then the other, there is a two-day window where the site operator can notice the attack by monitoring the TLD status for the site's domain. While "proper" migrations under the scheme (2 days between DS change and NS change) are always good, and "improper" migrations do produce a DOS, the DOS is limited to 2 days. In terms of deployment, if Nominum would do this, now basically everyone gets protected since Nominum's usage by Comcast for recursive resolver validation guarentees that there is a large customer base which will be behind such protection, making this very visible. Thoughts? Comments? -- Nicholas Weaver it is a tale, told by an idiot, [email protected] full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
