[dns-operations] A Case Against DNSSEC (A Matasano Miniseries)

Steve Gibbard scg at gibbard.org
Wed Apr 4 19:17:31 UTC 2007

On Tue, 3 Apr 2007, Rodney Joffe wrote:

>> What is the DNS control plane?  Is it something more than the ability
>> to do AXFR?  To log in to the nameserver?  SOA/NS queries?
>> How would October 2002 have been different with a DNS control plane?
> Maybe there's a better phrase. I am defining a control plane as a 
> point-to-point connection between sources of queries and sources of answers 
> such that actions taken by any "actual" query source can "actually" by 
> controlled by the "actual" answer source in such a way that all other query 
> sources remain unaffected in any way.

To substitute my own clumsy explanation for Rodney's, it sounds like 
what's being described here is a separate control plane for name lookups 
rather than a separate control plane for managing the DNS servers.  This 
is what his UltraDNS DNS Shield does.

> 95% of the 'net were *not* the cause of teh 2002 pain. Or any of the attacks 
> since then.

The issue that keeps me from being tempted to replicate DNS Shield is one 
of scaling.

As I understand, DNS Shield does a good job at what it does, which is to 
protect the ability of some large recursive servers to do name lookups in 
Ultra-hosted zones (including the root now or at least soon, through the 
Ultra/F-Root agreement).  If it were possible to put such a cluster in 
front of every recursive server that needs to be able to do lookups on 
Ultra-hosted zones, it might be a big success.  But there are a lot of 
recursive DNS servers out there, a lot of which have not been the cause of 
any attacks.  Our job is to reliably serve all of them.

Given finite resources, we can put a node at an exchange point and try to 
serve all the ISPs in a region, or we can put a node at one of the ISPs 
and not allow any outside access, and serve only the subset of that ISP's 
customers who use the ISP's recursive server.

It seems to me that to make running DNS on a separate network scale we'd 
need to either vastly reduce the number of recursive servers (which 
creates its own DOS potential), or build a large scale parallel Internet 
to handle only DNS queries from trusted sources, which would be incredibly 

This makes me think Matt Larson's strategy:

>> VeriSign's DDoS mitigation strategy was and remains to spend the money
>> and devote the engineering necessary to over provision to handle what
>> comes at us.

is probably more scalable, even if not as bulletproof in the isolated 
cases where DNS Shield has been applied.

Am I missing something here?  Do 75% of the world's Internet users (to 
take a number from another of Rodney's message) really use less than 30 
recursive DNS servers?


More information about the dns-operations mailing list