[dns-operations] Forgery resilience idea - wildcard cooperative defense

Paul Vixie vixie at isc.org
Thu Aug 7 17:18:28 UTC 2008

> While doing some free-associating around the Kaminsky presentation, I 
> began pondering wildcards.
> Specifically, what could we do, using wildcards, to nip the 
> $RANDOM.example.com problem in the bud?
> ...

any solution requiring cooperative action/change by both the RDNS and ADNS
has a cost that's equivilent to "deploy DNSSEC".  the thing that's good
about UDP port randomization, or DNS-0x20, is that it only requires change
in one place (the RDNS in those cases, but an ADNS-only solution would also
be cheaper than "deploy DNSSEC".)

for solutions involving "upgrade all nodes", the first term of the expression
of deployment cost is in touching all those nodes, and the actual complexity
or difficulty of the new protocol is a distant second term, easily managed
through normal and inevitable capitalistic incentives.

for all solutions having the same cost as "deploy DNSSEC", compare the
expected benefits.  the DNS datapath is long and twisty and involves both
on-wire and off-wire transport.  zone storage on primary and secondary
servers, zone transfer between those servers, zone content generation from
databases, responses from ADNS to RDNS, responses from RDNS to stub, and
application to stub API, are all corruptible elements of the DNS datapath.

> Thoughts?
> Brian Dickson

among all same-cost solutions, which one protects the largest amount of
the DNS datapath?  hint: it's not based on wildcards.

i would love to hear more ideas that involve only one point of action/change,
like UDP port randomization or DNS-0x20.


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the dns-operations mailing list