[dns-operations] A Case Against DNSSEC (A Matasano Miniseries)
Steve Gibbard
scg at gibbard.org
Wed Apr 4 19:17:31 UTC 2007
On Tue, 3 Apr 2007, Rodney Joffe wrote:
>> What is the DNS control plane? Is it something more than the ability
>> to do AXFR? To log in to the nameserver? SOA/NS queries?
>>
>> How would October 2002 have been different with a DNS control plane?
>
> Maybe there's a better phrase. I am defining a control plane as a
> point-to-point connection between sources of queries and sources of answers
> such that actions taken by any "actual" query source can "actually" by
> controlled by the "actual" answer source in such a way that all other query
> sources remain unaffected in any way.
To substitute my own clumsy explanation for Rodney's, it sounds like
what's being described here is a separate control plane for name lookups
rather than a separate control plane for managing the DNS servers. This
is what his UltraDNS DNS Shield does.
> 95% of the 'net were *not* the cause of teh 2002 pain. Or any of the attacks
> since then.
The issue that keeps me from being tempted to replicate DNS Shield is one
of scaling.
As I understand, DNS Shield does a good job at what it does, which is to
protect the ability of some large recursive servers to do name lookups in
Ultra-hosted zones (including the root now or at least soon, through the
Ultra/F-Root agreement). If it were possible to put such a cluster in
front of every recursive server that needs to be able to do lookups on
Ultra-hosted zones, it might be a big success. But there are a lot of
recursive DNS servers out there, a lot of which have not been the cause of
any attacks. Our job is to reliably serve all of them.
Given finite resources, we can put a node at an exchange point and try to
serve all the ISPs in a region, or we can put a node at one of the ISPs
and not allow any outside access, and serve only the subset of that ISP's
customers who use the ISP's recursive server.
It seems to me that to make running DNS on a separate network scale we'd
need to either vastly reduce the number of recursive servers (which
creates its own DOS potential), or build a large scale parallel Internet
to handle only DNS queries from trusted sources, which would be incredibly
expensive.
This makes me think Matt Larson's strategy:
>> VeriSign's DDoS mitigation strategy was and remains to spend the money
>> and devote the engineering necessary to over provision to handle what
>> comes at us.
is probably more scalable, even if not as bulletproof in the isolated
cases where DNS Shield has been applied.
Am I missing something here? Do 75% of the world's Internet users (to
take a number from another of Rodney's message) really use less than 30
recursive DNS servers?
-Steve
More information about the dns-operations
mailing list