[dns-operations] DNS .com/.net resolution problems in the Asia/Pacific region
Shane Kerr
shane at time-travellers.org
Wed Jul 19 07:22:20 UTC 2023
Shumon and all,
On 18/07/2023 21.41, Shumon Huque wrote:
> On Tue, Jul 18, 2023 at 3:29 PM Viktor Dukhovni <ietf-dane at dukhovni.org
> <mailto:ietf-dane at dukhovni.org>> wrote:
>
> Yes, I agree. A resolver can't really tell that a response with an
> expired signature wasn't an attacker trying to replay old data. For
> robustness against attacks, it must re-query other available other
> servers if they exist.
I kind of think that a resolver using UDP should just drop a response on
the floor if it has an expired signature. Otherwise an attacker can
induce behavior change by spoofing replies, which is itself a security
problem (in this case, blocking with a response that would arrive later
and work, effectively removing a name server from the set of name
servers queried for a given lookup).
This idea mostly applies to UDP without DNS cookies since it is the only
transport easily vulnerable to spoofing. With other transports you are
much more sure that the answer actually came from the server you are
querying, and so you can be confident that the server is giving out
bogus answers. (TCP is vulnerable to BGP hijacking and the like, but in
that case you would still expect to get bogus answers for subsequent
queries to the same server.)
Unfortunately I don't think any resolvers hold onto a UDP query until
after the DNSSEC validation. So there is not really much option other
than to try again. 🤓
Cheers,
--
Shane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x3732979CF967B306.asc
Type: application/pgp-keys
Size: 11519 bytes
Desc: OpenPGP public key
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230719/dddb7137/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230719/dddb7137/attachment-0001.sig>
More information about the dns-operations
mailing list