[dns-operations] EDNS0
william(at)elan.net
william at elan.net
Wed Mar 1 06:12:25 UTC 2006
> As DNSSEC is deployed finding a 3+k authoritative response
> will be about as easy as finding a 500 byte response is
> today. You will be able to do the attack w/o needing the
> recursive servers.
BTW, there is at least one other system being developed that wants
to add large dns records: Domainkeys and IETF version of it - DKIM.
(if you're not familiar the technology puts public key in DNS TXT
record under _domainkey subdomain and that is used to verify email
signatures that added to message header by mail servers automatically)
I've already pointed out the problem of potential abuse of these
records for amplification dns attack:
http://www.mhonarc.org/archive/html/ietf-dkim/2006-02/msg00370.html
That post is to include this issue in the threats draft, unfortunately
it may not happen because nobody as of yet seconded my request plus
protocol designers are really not very eager to have a issue mentioned
there that basically has no good workaround (at least from the perspective
of those participating in the protocol).
Personally I think Yahoo and Cisco (and lots of other folks who are
behind them for marketing reasons) are making big mistake by insisting
on public keys in dns approach for deploying automated email signature
PKI where as there are other alternatives available such as dns records
with fingerprints of public keys (this is what cisco itself originally
proposed as IIM) or retrieving public keys from specialized servers
pointed to by dns records.
--
William Leibzon
Elan Networks
william at elan.net
More information about the dns-operations
mailing list