On Mon, Nov 13, 2006 at 02:01:57PM -0800, william(at)elan.net wrote: > > [This email explains on scenario for what could be called 'NXDOMAIN' > DNS DoS which Doug tried to use in his FUD campaign against SPF
Just like in the meeting, I think many of us do not want to spend a great deal of time exploring all the nooks and crannies of some other working group's rathole. It is not even interesting to me whether SPF is or is not the primary method by which these attacks can be performed. So I ask, as I did last Friday, a question in response to the general issue: > little to do with SPF. In fact the attack is general dns attack that will > work with several other records (MX, SRV, NS, most likely PTR and NAPTR > and possibly CNAME [John Levine suggested it, but I don't immediately see > using it by itself]). The issue is that certain applications (including > DNS resolver itself) by means of special DNS records can be directed to > do several additional lookups. I still have no idea, from any of the SPF-blahblah discussion here, whether there is anything at all that this group needs to do about the problem. As nearly as I can see, there are a few possible answers. None of the following are positions I'm adopting; I'm just trying to figure out what questions, if any, to ask. Also, I bet this list isn't exhaustive: 1. Sort of. There is a DNS problem. We need to define what that problem is and what the operational impact might be; but if there is a protocol problem, we have to ask dnsext to take it up as a work item. 2. Yes. The general topic of DNS-using attacks is a work item that the group needs to take up. 3. No. This is a problem that people have pointed out more than once when others decided to start loading up the DNS with all these other kinds of records, and the consequences are here as predicted. Since everyone knew this was going to happen, we have nothing to say about it now. 4. Yes, but in a limited way. Some attacks are worse than others, and each attack type should be evaluated case-by-case, so that the group can decide whether it is worth investigating. 5. No. This is a topic better handled in operator group forums like NANOG, RIPE, APNIC, and even OARC, rather than here. I lean towards (1) or (2) myself, but I can't say I have anything like a well-formed view on this stuff, so I'd like to hear the views of others as to what, if anything, to do about these kinds of attacks. I pray that we can keep particular examples out of it, but I suspect we can't. A -- Andrew Sullivan 204-4141 Yonge Street Afilias Canada Toronto, Ontario Canada <[EMAIL PROTECTED]> M2P 2A8 jabber: [EMAIL PROTECTED] +1 416 646 3304 x4110 . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html