[dns-operations] Getting rid of ISP's recursive DNS servers? (Was: Eircom "DNS Attacks" ?

Michael Sinatra michael at rancid.berkeley.edu
Mon Jul 20 01:21:54 UTC 2009 

On 07/18/09 14:23, Stephane Bortzmeyer wrote:
> On Fri, Jul 17, 2009 at 11:17:22AM -0400,
>  Keith Mitchell <keith at isc.org> wrote 
>  a message of 13 lines which said:
> 
>> I'm seeing ongoing coverage of this:
> 
> An interesting point of view (Paul Jakma is a known BGP guru):
> 
> http://pjakma.wordpress.com/2009/07/15/sharing-dns-caches-considered-harmful/

I'd like to pick on this portion of the article:

"When finally DNSSec is deployed, shared, recursive nameservers remain a 
bad idea as they terminate the chain of the trust – the connection 
between the NS and client can still be spoofed."

First, it's not necessarily the case that the connection between the NS 
and client cannot or will not be also secured by DNSSEC.  A stub 
resolver could still validate signatures even if it is using an upstream 
caching recursor.

Second, the solution offered by the blog entry (everyone runs their own 
cache) is no better than a world in which DNSSEC is deployed and big 
caching resolvers are still being used.  The reason big caches are so 
juicy is that there is a single point of attack which can yield a lot of 
gain--poisoning a big cache can affect many users.  When DNSSEC is 
deployed, it is no easier to spoof "the connection between the NS and 
client" than it is to poison an individual client with its own caching 
resolver.

Arguably, it's harder.  Because most clients are topologically closer to 
their big shared resolver than they are to most authoritative, root, and 
TLD servers, it's probably easier to poison the caches of individual 
client recursors than it is to spoof the connection between a large 
caching nameserver and its clients in the same AS.

Third, assuming I believe in DNSSEC (and I do), I'd want all of those 
little CPE resolvers to be able to validate.  I am not sure how well 
configuration and key-management (even with RFC 5011) will scale at that 
level.

Basically, I think we should put our energy into DNSSEC deployment 
instead of millions of CPE recursors.

michael

More information about the dns-operations mailing list