[dns-operations] DNS deluge for x.p.ctrc.cc

Paul Vixie paul at vix.com
Fri Mar 3 19:37:56 UTC 2006


# Other than that there is a trust issue. No matter where I go or at what
# point I get on the internet my computer always uses my dns servers because I
# control them. He who controls the dns server you use controls you, so you
# better trust them.

isn't this why we developed TSIG?  did you know that your laptop (even if
it runs windows) can run BIND9 as a forwarder, and that the forwarded queries
can be protected with TSIG on their way back to your home recursive caching
name server?  you can learn more about this at:

	http://www.ietf.org/rfc/rfc2845.txt
	http://www.isc.org/sw/bind/

note that this isn't for everybody.  only someone smart enough to know they'd
prefer to talk to their own nameserver, and someone smart enough to know how
to keep DHCP from overriding their choice of nameserver, could (or would) do
this.

# > except that more and more segments aren't implementing any kind
# > of filtering.
# 
# Ok, well they aren't locking down their dns servers either, so either is
# going to take effort to get it done.

you keep saying that.  let me keep saying what i keep saying in response:

since i know how to direct my effort to protect my nameserver against reply
streams from open recursive name servers receiving spoofed-source query
streams (since i know who those open recursive name servers are) but i do
not know how to direct my effort toward protecting myself from the non-BCP38
networks who enable those attacks (since i do not know who they are, and
since they aren't sending packets toward me in any case), there is a 
qualitative rather than merely quantitative difference in "effort:return"
ratio here.

# > i would really like to meet some of those 5,000 people, and hear the ways
# > in which they depend on nonlocal open recursive nameservers, but
# 
# Maybe I didn't explain it right, it has nothing to do with folks using
# non-local dns servers.

well, if we're in different conversations altogether, that would explain why
we keep not hearing each other.

# I'm picturing this as a DNS blacklist basically, so ok some ISP's will use
# the service and some won't. Now you are on an ISP who doesn't use it, and
# who is blacklisted and you use their local recursive servers. What is the
# result you see when 10% of the dns servers on the internet refuse to respond
# to your queries cause they use the blacklist but the other 90% respond as
# always? Right, partial dns failures like some parts of the net are down.

i'm with you so far.  you're talking about "great pain for many people".  OK.

# Ok now lets suppose there is an ecommerce site on this part of the internet
# that is blacklisted. That ecommerce site needs to process a transaction then
# send an email back to the purchaser. The mail doesn't go thru, obviously
# spam filters at the purchasers ISP so that's where everyone starts looking
# but NOooooo it's a dns issue but the guy who handles the mail at the
# receiving end will never know that because his dns servers respond properly
# and he can't test anyone elses dns servers. Imagine SSL or PTR lookup spam
# filters or any of a hundred of other functions that break if you have
# partial dns failures.

i'm still with you.  "nameless destruction from the sky for many people".  OK.

# The issues a blacklist of this type could cause would be a real nightmare to
# track down and the guy having the nightmare isn't just the one blacklisted,
# it would affect all of us. And then we still have to deal with the spoofing
# issues..

this makes it sound as though you have an answer to the question i've posed
over and over again for 10 days or so, but you didn't actually say so, so let
me ask it again (which i'll keep doing until folks start answering it, so if
you're easily bored you might want to procmail me out of your existence).

should root and TLD nameserver operators choose to be available to all parties
or should they choose to be available while they are attacked?  your answer
only has to cover the time between today and universal BCP38 deployment.



More information about the dns-operations mailing list