[dns-operations] [Nst] A Case Against DNSSEC (A Matasano Miniseries)

Thu Apr 5 01:33:44 UTC 2007

> The second thing is that this _does_ create two classes of Internet
> user (I suppose a better analogy is "two classes of Internet
> neighbourhood"): those who get "shielded" and those who don't.  I
> don't know whether I think this is good or bad, but it is something
> one had better acknowledge, I think -- and certainly is something one
> oughtn't to deny.  Whether there is a practical effect of that
> two-class arrangement I don't know.  

since isc will continue serving the global population with as much
massively overprovisioned capacity as before, i see f-root's 
dns shield participation as a pure win for the community.

> I'm also wondering about the following.  If the attackers put their
> bots or whatever behind the shield as well as everywhere else, then
> the infrastructure formerly protected by the shield is subject to
> attack, so the shield isn't really going to work in the case where the
> attackers have large numbers of their attack agents inside the
> protected ISP's network.  If I understand that correctly, then it
> almost seems to create a new kind of attack, whereby the attacker can
> _explicitly_ go after (say) "AOL customers" and target them
> effectively by attacking inside the "shielded area".  Is the idea,
> then, that the ISPs have a strong incentive to mitigate such attacks
> quickly, and the data about their network to do it more effectively
> than an authoritative operator does?

yes, absolutely.  an isp whose servers are ddos'd by their own broadband
clouds is in the best possible position, especially wrt spoof prevention
and therefore flow limits that only work when you know spoofing isn't
happening, to mitigate the attacks.  giving isp's this mitigation tool
is almost as important in the grand scheme of things as giving them a
service that doesn't share fate with the global population.

> If I am right in this last part of my understanding (and my apologies
> to those who are brighter than I am and who are exasperated by my
> foolishness and ignorance), that doesn't mean this approach is
> useless.  But it does seem to mean that very good coverage by shields
> needs to be attained (somewhere over 80% of all ISP recursing
> nameservers, I should think, or the network effects won't be enough to
> blunt the new attack vector) and also that shields can't be the only
> strategy for a given service (so that users behind a shield have an
> alternative way of getting resolution to their queries).  Have I
> missed something obvious?

that's everything.