Re: Possibly questionable security decisions in DNS root management
Florian Weimer wrote: > And you better randomize some bits covered by RRSIGs on DS RRsets. > Directly signing data supplied by non-trusted source is quite risky. > (It turns out that the current signing schemes have not been designed > for this type of application, but the general crypto community is very > slow at realizing this discrepancy.) Could you elaborate? I'm not sure what you're referring to or why it would be quite risky to sign unrandomized messages. Modern, well-designed signature schemes are designed to resist chosen-message attack. They do not require the user of the signature scheme to randomize the messages to be signed. I'm not sure what discrepancy you're referring to. Back to DNSSEC: The original criticism was that "DNSSEC has covert channels". So what? If you're connected to the Internet, covert channels are a fact of life, DNSSEC or no. The added risk due to any covert channels that DNSSEC may enable is somewhere between negligible and none, as far as I can tell. So I don't understand that criticism. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Possibly questionable security decisions in DNS root management
Florian Weimer writes: > * Perry E. Metzger: > >> Actually, there are routine attacks on DNS infrastructure these days, >> but clearly they're not cryptographic since that's not >> deployed. However, a large part of the point of having DNSSEC is that we >> can then trust the DNS to be accurate so we can insert things like >> cryptographic keys into it. > > As far as I know, only the following classes of DNS-related incidents > have been observed: You're not correct. Among other things, I've personally been the subject of deliberate DNS cache contamination attacks, and people have observed deployed DNS response forgery in the field. >> I'm particularly concerned about the fact that it is difficult to a >> priori analyze all of the use cases for DNSSEC and what the incentives >> may be to attack them. > > Well, this seems to be rather constructed to me. Feel free to find it "constructed". From my point of view, if I can't analyze the implications of a compromise, I don't want to leave the ability for it to happen in a system. I don't think anyone is smart enough to understand all the implications of this across all the systems that depend on the DNS, especially as we start to trust the DNS because of the authentication. Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Possibly questionable security decisions in DNS root management
* John Gilmore: > So the standard got sent back to the beginning and redone to deal with > the complications of deployed servers and records with varying algorithm > availability (and to make DSA the "officially mandatory" algorithm). > Which took another 5 or 10 years. And it's still not clear that it works. No additional suite of algorithms has been approved for DNSSEC yet. Even the upcoming SHA-256 change is, from an implementors perspective, a minor addition to NSEC3 support because it has been tied to that pervasive protocol change for political reasons. > forcibly paid by every domain owner Not really, most ccTLDs only pay out of generosity, if they pay at all (and if you make enough fuss at your favorite TLD operator's annual general meeting, they are likely to cease to pay, too). > So the total extra data transfer for RSA (versus other) keys won't > be either huge or frequent. Crap queries are one problem. DNS is only efficient for regular DNS resolution. Caching breaks down if you use non-compliant or compliant-to-broken-standards software. There's also the annoying little twist that about half of the client (resolver) population unconditionally requests DNSSEC data, even if they are incapable of processing it in any meaningful way (which means, in essence, no incremental deployment on the authoritative server side). There are some aspects of response sizes for which no full impact analysis is publicly available. I don't know if the 1024 bit decision is guided by private analysis. (It is somewhat at odds with my own conclusions.) -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Possibly questionable security decisions in DNS root management
* Victor Duchovni: > The optimization is for DDoS conditions, especially amplification via > forged source IP DNS requests for ". IN NS?". The request is tiny, > and the response is multiple KB with DNSSEC. There's only one required signature in a ". IN NS" response, so it isn't as large as you suggest. (And the priming response is already larger than 600 bytes due to IPv6 records.) DNSKEY RRsets are more interesting. But in the end, this is not a DNS problem, it's a lack of regulation of the IP layer. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Possibly questionable security decisions in DNS root management
* Jack Lloyd: > On Sat, Oct 17, 2009 at 02:23:25AM -0700, John Gilmore wrote: > >> DSA was (designed to be) full of covert channels. > > True, but TCP and UDP are also full of covert channels. And you better randomize some bits covered by RRSIGs on DS RRsets. Directly signing data supplied by non-trusted source is quite risky. (It turns out that the current signing schemes have not been designed for this type of application, but the general crypto community is very slow at realizing this discrepancy.) -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Possibly questionable security decisions in DNS root management
* Perry E. Metzger: > Actually, there are routine attacks on DNS infrastructure these days, > but clearly they're not cryptographic since that's not > deployed. However, a large part of the point of having DNSSEC is that we > can then trust the DNS to be accurate so we can insert things like > cryptographic keys into it. As far as I know, only the following classes of DNS-related incidents have been observed: (a) Non-malicious incorrect DNS responses from caches (a1) as the result of defective software (a2) due to misconfiguration (a3) as a means to generate revenue (a4) as a means to generate revenue, but informed consent of the affected party is disputed (a5) to implement local community standards (b) Compromised service provider infrastructure (b1) ISP caching resolvers (b2) ISP-provisioned routers/DNS proxies at customer sites (b3) authoritative name servers and networks around authoritative name servers (b4) as the result of registrar/registry data manipulation (c) DNS as a traffic amplifier, used for denial-of-service attacks both against DNS and non-DNS targets (d) in-protocol, non-spoofed DNS-based reflective attacks against authoritative servers (e) unclear incidents for which sufficient data is not available The problem is that the "attacks" you mentioned are in class (e), but likely belong to (a1) and (a2) if we had more insight into them. Certainly, bad data itself is not proof of malicious intent. (NB: (a1) does *not* include software using predictable query source ports. There does not appear to be corresponding attack activity.) > I'm particularly concerned about the fact that it is difficult to a > priori analyze all of the use cases for DNSSEC and what the incentives > may be to attack them. Well, this seems to be rather constructed to me. You state that DNSSEC is a game changer, and then it's indeed pretty unclear what level of cryptographic protection is required. But in reality, DNSSEC adoption is not likely to change DNS usage patterns. If there's an effect, it will be due to the more rigid protocol specification and a gradual phase-out of grossly non-compliant DNS implementations, and not due to the cryptography involved. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com