[dns-operations] DNS deluge for x.p.ctrc.cc

Paul Vixie paul at vix.com
Sun Feb 26 21:23:49 UTC 2006


# We should get Dan Kaminsky and Mike Schiffman on this list, ...

i completely agree.  i heard dan's talk on this at usenix-lisa and have seen
the paper he wrote and think that both he and mike would be great to have in
this discussion.

assuming that bgp or https or some scalable means could be found to share
the predicate-set "openly recursive AND recently abused", my question is one
of ethics/policy rather than technology/engineering... WHO would subscribe to
such a list?  would it just be enterprise nameservers, and isp's and akamai?
or would TLD and/or root server operators be willing to make the tradeoff
between "being available to everybody" vs. "being available when attacked" ??

this is a powerful question.  if a TLD or root name server operator decided
to ignore all packets that came from (known_openly_recursive&&recently_abused)
nameservers, then there would be a dramatic and instantaneous loss of service
to a lot (122K, 580K, 1M, the numbers vary) of recursive name servers and to
a lot (millions?) of browser-equipped people who depend on those name servers.
(that sounds irresponsible, when i put it like that, doesn't it?)

on the flip side, any TLD or root name server who does _not_ ignore all packets
from those places is subject to what we're now finding to be an absolutely
trivial amplification attack.  (that also sounds irresponsible when i put it
like that, i hope.)

where is the greater responsibility?  availability to all, or availability
during attacks?

some people insisted on running open mail relays even after those were widely
abused.  other people insisted on rejecting all e-mail from those relays.  the
endgame was predictable, but the process of getting there was ugly and painful.

something like that's going to happen with open recursive name servers.  some
folks will insist on continuing to operate that way.  some other folks will
insist on rejecting all packets from servers known to be configured that way.
the endgame is a lot of ACL's, wider deployment of GSS-TSIG, and the use of
TSIG for query (not just for update).  the process of reaching that endgame
will be ugly.

but what should a TLD or root name server operator do?  realizing that there's
no amount of provisioning (capex, opex, hiring, links, nodes, servers, pipes,
you name it) that will make a server immune to this trivial-to-launch attack,
my question remains: what's the greater (ir)responsibility, availability to
all or availability during attack?

this isn't a no-brainer.  (i don't know what f-root should do, for example.)



More information about the dns-operations mailing list