[dns-operations] EDNS0

william(at)elan.net william at elan.net
Wed Mar 1 06:12:25 UTC 2006

> 	As DNSSEC is deployed finding a 3+k authoritative response
> 	will be about as easy as finding a 500 byte response is
> 	today.  You will be able to do the attack w/o needing the
> 	recursive servers.

BTW, there is at least one other system being developed that wants
to add large dns records: Domainkeys and IETF version of it - DKIM.
(if you're not familiar the technology puts public key in DNS TXT
record under _domainkey subdomain and that is used to verify email 
signatures that added to message header by mail servers automatically)

I've already pointed out the problem of potential abuse of these
records for amplification dns attack:
That post is to include this issue in the threats draft, unfortunately 
it may not happen because nobody as of yet seconded my request plus
protocol designers are really not very eager to have a issue mentioned 
there that basically has no good workaround (at least from the perspective 
of those participating in the protocol).

Personally I think Yahoo and Cisco (and lots of other folks who are 
behind them for marketing reasons) are making big mistake by insisting
on public keys in dns approach for deploying automated email signature 
PKI where as there are other alternatives available such as dns records 
with fingerprints of public keys (this is what cisco itself originally 
proposed as IIM) or retrieving public keys from specialized servers 
pointed to by dns records.

William Leibzon
Elan Networks
william at elan.net

More information about the dns-operations mailing list