[dns-operations] [dns-wg] "DNS Vulnerabilities" paper hits the mainstream

[Jim Reid]

On May 1, 2006, at 01:15, Bill Larson wrote:

> How can the "security of the DNS system" be considered as any  
> better than
> the security of the parent servers?

Because the parent is not usually authoritative for its children.  
Sure, the parent could insert bogus delegation info: a fake glue or  
NS record. But this is little different from a slave server for the  
child that tells lies about the zone. If anything, a lying slave is  
probably much worse because the cache poisoning heuristics in a  
decent implementation will give more credence to what an  
authoritative child has to say than a non-authoritative parent.

> Using an example from the paper.  If the FBI has a delegated server
> that can be easily hijacked, then this would mean that a significant
> number of queries for information in the "fbi.gov" domain could be
> subverted with invalid info.  This is a security issue and it is  
> not an
> issue under the direct control of the FBI (except for their  
> decision to
> base their operation on a third party service).

One would hope that if someone outsources DNS service to a third  
party, that will be subject to a contract which includes performance  
levels, problem escalation, response to security incidents as well as  
criminal or civil penalties for non-compliance. I'd get those  
safeguards buying a cup of coffee, so why not when buying DNS service?

> Isn't this the same type of security issue evaluated with COPS?

I don't think so.