[dns-operations] [Nst] A Case Against DNSSEC (A Matasano Miniseries)

Andrew Sullivan andrew at ca.afilias.info
Thu Apr 5 13:39:40 UTC 2007

On Wed, Apr 04, 2007 at 09:19:59PM -0700, Rodney Joffe wrote:

> >is, if you put the shield on AOL and three other large ISPs, but the
> >attack works by targetting a service used only by people not on those
> >ISPs, the shield isn't effective.
> It is extremely effective for AOL and three other large ISPs. They  
> have the philosophical position that I consider "good".

You're equivocating there: it's not effective against the attack (and
my contrived example explicitly leaves out AOL and the three other
ISPs as targets, so it has no effectiveness in that case at all). 

The reason I'm making this argument is because it sounds to me like
people are proposing a false dichotomy: massive overprovisioning or
shileds.  It doesn't seem to me that the shield approach is in any way
a replacement for overprovisioning, which means that it qualifies as
simply one more expense.  It may well be jusitified, but it's
nevertheless _in addition_ to overprovisioning, not instead of it.  

> Similar to those who have access to IPv6 and those that don't.
> Those that have access to native Multicast and those that don't.
> Those that have ISPs that provide spam filtering, and those that don't.
> Those whose access/transit is via SONET or redundant paths and those  
> that don't.
> Those whose providers do useful RPF and end up protecting them from  
> attacks, and those that don't.
> Etc.
> And your point is?

First, this _is_ another differentiation, and therefore one should be
up front about it.  I've seen suggestions in this thread that it does
not in fact create a new differentiation; but it does.  If we're going
to embrace this sort of thing, we should say that's what we're doing.

Second, many of the examples you list are enhancements that work along
side existing technology; but the current proposal either increases
costs or else takes money from the general provisioning of
infrastructure for DNS.  So this approach means that the benefit to
some may come at the cost to others, which is different from your
examples.  Again, none of that is to say that it's a bad idea.  But
benefits need to be weighed against costs, and I'm trying to get an
idea of what those costs are.  As a provider of infrastructure to
users with whom I mostly have no contact, I have to work hard to
figure out what some of those costs are, and to weigh the costs from
the point of view of the various communities of users.

> I can only talk about the NeuStar Ultra Shield nodes. The recommended  
> design has the Shield node acl'd so that only the ISP's recursive  
> servers see the announcements from the Shield's node. So the ISP's  
> users not have access to the shield node. 

Well, right.  But if the shield is hosed because of the volume
directed at it by the recursive servers, presumably the attack still
works.  I appreciate, however, that this might be harder to do, and
also that the ISPs are probably in a better position to mitigate such
attacks.  I also buy Paul's argument that one of the benefits to this
sort of arrangement is the extent to which it almost forces ISPs to
deal with attacks inside their networks (and therefore helps solve the
problem of incomplete implementation of BCP 38).

Anyway, I think I've said enough in this thread.  Thanks for the more
complete detail.


Andrew Sullivan                         204-4141 Yonge Street
Afilias Canada                        Toronto, Ontario Canada
<andrew at ca.afilias.info>                              M2P 2A8
jabber: ajsaf at jabber.org                 +1 416 646 3304 x4110

More information about the dns-operations mailing list