[dns-operations] the mathematics of kaminsky spoofing probability

Shane Kerr shane at ca.afilias.info
Mon Aug 4 15:49:06 UTC 2008

On Mon, 2008-08-04 at 06:45 -0700, David Conrad wrote: 
> On Aug 4, 2008, at 5:31 AM, bert hubert wrote:
> > On Mon, Aug 04, 2008 at 12:26:03PM +0100, Simon Waters wrote:
> >> One can merely ask the question twice over UDP to defeat spoofing,  
> >> no need to
> >> switch to TCP. Since spoofing both answers blind would be exceedingly
> >
> > This is non-trivial because auth servers don't always give the same  
> > answers
> > (round robin, load balancing devices, plus many auth servers hiding  
> > behind
> > one IP address, which might not all serve the same data).
> >
> > But it is indeed one of the better options.
> At some point, the number of hacks necessary to implement address  
> spoofing protection (which won't actually prevent spoofing if the  
> attacker happens to be on the wire of course) is going to surpass the  
> complexity of DNSSEC, both in terms of code as well as operations.

Isn't this comparing apples and oranges?

As someone running a recursive resolver, I have no control over whether
or not a particular zone is secured with DNSSEC. I can, however, take
reasonable measures to protect myself against spoofing.

DNSSEC requires action by at least 2 people, probably more like 4 in the
typical case (the registry has to support it, the registrar has to
support it, the zone holder has to secure the zone, and whoever is
running the resolver needs to run the appropriate software).

So, for those of us who are not lucky enough to live in Sweden or
Brazil, a little forgery resistance is a good thing. :)  (I guess, since
of course I have not seen the official publication.)


More information about the dns-operations mailing list