Re: [DNSOP] Pointless FUD and confusion about DNSSEC deployment

[Dean Anderson]

On Mon, 18 Aug 2008, Jim Reid wrote:

 On 18 Aug 2008, at 05:11, Dean Anderson wrote:
 
  Ok, I agree that totally DNSSEC-oblivious servers won't be a problem
  for DOS, but of course remain susceptible to poisoning even if the
  stub resolver and the authority server both implement DNSSEC.
 
 Kindly explain how is this any different from when poisoning occurs  
 when stub resolver and authority server don't implement DNSSEC.

Its not any different; its exactly the same problem.  And DNSSEC creates 
more problems, without solving any.

 The fact is DNSSEC is the *only* game in town for preventing cache  
 poisoning. 

TCP is another 'game in town'.  We may also be able to invent other
'games', as DJB suggests.

 So to go back to David's original question: will deploying DNSSEC
 break anything that's already in use that doesn't support DNSSEC?

Yes: DNSSEC enables DDOS attacks that didn't exist before, and doesn't
eliminate any attacks that previously existed.

  Now if that resolving server does pay attention to the DO bit, it
  will set it on the query it makes to the authoritative server. That
  makes the authoritative server return an answer which will contain
  the new RRSIG and the resolving server's cache is updated
  accordingly.
 
  Ok. So what about caching servers that do understand the DO bit but
  don't actually verify the responses? They just cache the response
  for the stub resolver to verify?  These servers can still be
  poisoned with invalid record combinations that they pass on to stub
  resolvers, resulting in the DOS.  Such servers may still be subject
  to the race condition I described.
 
 How is this different from a resolving server not getting the correct
 answer because it queried an authoritative server that hasn't seen the
 latest version of the zone on the master?

In that scenario, the old data is consistent. In my scenario, poisoning
has created inconsistent data on the non-verifying DNSSEC cache.

 In fact in the somewhat contrived scenario you pose, the stub resolver
 gets a validation failure. So they at least know something has gone
 wrong. Which has to be a great leap forward from getting bad
 (poisoned) data and not having the slightest clue that has happened.

The resolver 'knows' perhaps, but the user doesn't know anything. They
just know that they typed in 'www.yahoo.com' and got no IP address.  
That's a DOS.

And its no leap forward. In the original cache poisoning case, the user
either gets, nothing, a non-working IP or they get the wrong server. If
they get the wrong server, their SSL verification and trust procedure
will exclude that server from use.  That's a DOS, too. 

 Ahhh. I see it now. Someone will deploy DNSSEC in their stub resolver.  
 But then they'll make that query a resolving server that doesn't speak  
 DNSSEC whenever their stub resolver wants to do a DNSSEC-aware lookup.  
 Right. Makes perfect sense. [Add scarcasm to taste.]

No, I already agreed that a totally DNSSEC-oblivious wasn't going to
pose a DNSSEC problem.  Your sarcasm is misplaced.

--Dean


-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000   


___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Pointless FUD and confusion about DNSSEC deployment

[Dean Anderson]

On Mon, 18 Aug 2008, Paul Hoffman wrote:

 At 1:27 PM +0100 8/18/08, Jim Reid wrote:
 The fact is DNSSEC is the *only* game in town for preventing cache poisoning.
 
 Note the subject of this particular thread. A more carefully-worded 
 sentence would be The fact is DNSSEC is the *only* game in town for 
 completely preventing cache poisoning. We have methods to reduce an 
 attacker's ability to poison caches effectively.

If the DNSSEC cache doesn't verify the records it caches, it is still 
suceptible to poisoning.

DNSSEC caches that verify are subject to a crypto-overload attack by 
large numbers of queries.

Both kinds of attacks ultimately result in a DOS

--Dean

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000   


___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Pointless FUD and confusion about DNSSEC deployment

[Mark Andrews]

 Jim Reid wrote:
 
  I suspect you're talking about the absurdly hypothetical scenario  where 
  someone gets a non DNSSEC-aware resolving server to lookup some  RRSIG, 
 
 Suppose you are using DNSSEC-unaware caching forwarder shared by
 others including those who are using PODS, which is often the case
 when you are behind NAT.
 
 RFC3225 does admit such a case as:
 
non-compliant caching or forwarding servers inappropriately copy data
from classic headers as queries are passed on to authoritative
servers, the use of a bit from the EDNS0 header is proposed.
 
 You ask a query on some name, maybe with DO bit set, and receive
 an answer without any SIG RRs.
 
 You now ask SIG RRs of the name through TCP (SIG RRs is usually
 larger than 1500B and can easily be larger than 64KB) and the SIG
 RRs will be cached, if everything works fine.

Sorry we are talking about RFC 4035 not RFC 2535.

RFC 2535 was designed to work through a non-RFC 2535 aware
cache.

RFC 4035 requires the upstream cache to be RFC 4035 aware.

RFC 4035 compliant validators DO NOT request RRSIGs if they
are missing from the response.  Instead the response is
rejected if it is deemed the response should have included
them.

The type code roll prevents RFC 2535 aware caches impacting
on the operation of RFC 4035 validators.

 There are a lot of possibilities that you can't get any SIG RRs,
 though. For example, the caching forwarder may not support TCP or
 may not be able to accept large answers.

And lack of TCP support will also break PODS responses as well.
Authoritative servers can sometimes get away with disabling TCP.
Stub and caches have never been able to get away with disabling
TCP.
 
 And, you must turn DNSSEC off, which is the instability I already
 mentioned.
 
 If you are little more unlucky, server's cache may overflow,
 inappropriate code against which may crash the server, which
 may never occured before with small PODS answers.
 
 It should also be noted that, in RFC3225, SIG RR query through TCP,
 which is unavoidable in this case, is considered harmful as:
 
TCP DNS queries result in significant overhead due to connection
setup and teardown.  Operationally, the impact of these TCP queries
will likely be quite detrimental in terms of increased network
traffic (typically five packets for a single query/response instead
of two), increased latency resulting from the additional round trip
times, increased incidences of queries failing due to timeouts, and
significantly increased load on nameservers.
 
   Masataka Ohta
 
 PS
 
 I'm very happy now because my proposal of Simple Secure DNS, which
 was designed to carefully avoid using large messages, is not deployed.
 
 
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Pointless FUD and confusion about DNSSEC deployment

[Masataka Ohta]

Mark Andrews wrote:

   RFC 4035 requires the upstream cache to be RFC 4035 aware.

Thanks. As examplified by assumptions of RFC3225, that's a so
unrealistic requirement that no further discussion on DNSSEC
is necessary. PERIOD.

   And lack of TCP support will also break PODS responses as well.
   Authoritative servers can sometimes get away with disabling TCP.
   Stub and caches have never been able to get away with disabling
   TCP.
 
In theory, yes, in practice, only those who supply large RRs
requiring TCP (or EDNS) will suffer.

Masataka Ohta

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Pointless FUD and confusion about DNSSEC deployment

[Mark Andrews]

 Mark Andrews wrote:
 
  RFC 4035 requires the upstream cache to be RFC 4035 aware.
 
 Thanks. As examplified by assumptions of RFC3225, that's a so
 unrealistic requirement that no further discussion on DNSSEC
 is necessary. PERIOD.

Given just about anyone can configure a validator to talk
directly to authoritative servers or can configure it to
talk to a cache which *is* DNSSEC aware which in turn talks
to the authoritative servers directly, I'm not worried about
those that *choose* to use a forwarder which is not DNSSEC
aware.

In other words just about anyone that wants to use DNSSEC
can put themselves in a position to use DNSSEC.  The tools
are available to do it.

We know there is unlikely to ever be universal deployment
of DNSSEC.  The fact that it is not universal however should
not be seen as a reason not to deploy it where it can be
deployed.

  And lack of TCP support will also break PODS responses as well.
  Authoritative servers can sometimes get away with disabling TCP.
  Stub and caches have never been able to get away with disabling
  TCP.
  
 In theory, yes, in practice, only those who supply large RRs
 requiring TCP (or EDNS) will suffer.

Well we are there now.  Lots of answers require EDNS and/or
TCP and the DNS resolution has not fallen over. 
 
   Masataka Ohta
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop