[dns-operations] the mathematics of kaminsky spoofing probability

Tue Aug 5 23:51:35 UTC 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Aug 4, 2008, at 8:49 AM, Shane Kerr wrote:

> On Mon, 2008-08-04 at 06:45 -0700, David Conrad wrote:
>> On Aug 4, 2008, at 5:31 AM, bert hubert wrote:
>>> On Mon, Aug 04, 2008 at 12:26:03PM +0100, Simon Waters wrote:
>>>> One can merely ask the question twice over UDP to defeat spoofing,
>>>> no need to
>>>> switch to TCP. Since spoofing both answers blind would be  
>>>> exceedingly
>>>
>>> This is non-trivial because auth servers don't always give the same
>>> answers
>>> (round robin, load balancing devices, plus many auth servers hiding
>>> behind
>>> one IP address, which might not all serve the same data).
>>>
>>> But it is indeed one of the better options.
>>
>> At some point, the number of hacks necessary to implement address
>> spoofing protection (which won't actually prevent spoofing if the
>> attacker happens to be on the wire of course) is going to surpass the
>> complexity of DNSSEC, both in terms of code as well as operations.
>
> Isn't this comparing apples and oranges?
>
> As someone running a recursive resolver, I have no control over  
> whether
> or not a particular zone is secured with DNSSEC. I can, however, take
> reasonable measures to protect myself against spoofing.
>
> DNSSEC requires action by at least 2 people, probably more like 4  
> in the
> typical case (the registry has to support it, the registrar has to
> support it, the zone holder has to secure the zone, and whoever is
> running the resolver needs to run the appropriate software).

I was curious why you think the registry and the registrar must  
support DNSSEC in order for you to gain protection from it?  If I  
understand your implication, it is because the parent zones must  
securely delegate (i.e. serve valid DS records) for the secure  
children, right?  If I've misunderstood you, my appologies.  However,  
if this is the case, I think you might find that it really takes 2  
(maybe 3) parties, and if you run a recursive resolver, then you are  
one of them. ;)

>
> So, for those of us who are not lucky enough to live in Sweden or
> Brazil, a little forgery resistance is a good thing. :)  (I guess,  
> since
> of course I have not seen the official publication.)

To use DNSSEC in the absence of a delegation hierarchy you can look  
at DLV repositories.  From RFC 5074 S07, "... Searching all  
applicable DLV domains until an applicable DLV record is found that  
results in a successful validation of the response... "

Thus, you can use DLV and keep this a 2 party operation (as zones  
adopt DNSSEC, they get into DLV repos at different rates).

Eric

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkiY54cACgkQK/tq6CJjZQJVyACfYep3lLglKrnamyfeRpjtGSJm
JjMAn3BQS9nfq/lMv16prXzy1skkCCDG
=auXG
-----END PGP SIGNATURE-----