[dns-operations] DNS trust dependencies for TLDs

Thu Jun 11 06:38:48 UTC 2009

[.FR existed long before ICANN and its existence now depends on the
French law - "loi sur les communications électroniques du 9 juillet
2004" - not on ICANN so I took the liberty to change the subject.]

On Thu, Jun 11, 2009 at 12:22:13AM -0500,
 John Kristoff <jtk at cymru.com> wrote 
 a message of 53 lines which said:

> I think its a worthwhile thing to do.

>From a scientific point of view, yes, it is interesting data. As you
note, there is nothing new in it, it has been discussed a lot in 2006
in the CoDoNS context
<http://www.cs.cornell.edu/people/egs/beehive/dnssurvey.html>. An
analysis of this claim (in French) can be found at
<http://www.bortzmeyer.org/dns-vulnerabilites.html>.

In both cases (CoDoNS and Matthew Dempsky's campaign for DNScurve),
the idea is to promote a technology, not to do a full analysis of the
DNS security. In the case of DNScurve, since one of its biggest
limitations is its inability to protect against a rogue secondary
nameserver or a rogue recursive cache, it makes sense to try to
distract people by pointing to other weaknesses (in this case, the
dependency to other domains).

Do note that DNSSEC would entirely solve the mentioned attack (while
DNScurve would not). But .FR is not signed so let's take the problem
in another way: this attack would give control to only a portion of
the caches (those which are closer from the 0wNEd nameserver than from
any other one). The more remote you are in the graph, the smaller the
portion is. Hence, I agree that there is no more need to panic than in
2006. (Also, to exploit the weakness, you need to be a legitimate
customer of the cache, if the cache complies with RFC 5358.)

> I'd be interested in hearing about any real world cases of this or
> related DNS cache poisoning attacks being used in the wild.  I've
> not seen any raw data confirming the vulnerability the clever Dan
> Kaminsky discovered a short while ago.

Indeed. In a previous discussion at the IETF on DNScurve, I mentioned
that DNScurve does nothing to protect against a rogue secondary
nameserver or a rogue recursive cache (something that DNScurve
promoters fail to mention in <http://www.dnscurve.org/dnssec.html>).
Matthew Dempsky jumped on the first problem (rogue secondary
nameserver) and ignored the second one (rogue recursive cache). In the
wild, the first problem is extremely rare (it never occurred for .FR
in 25 years, despite outsourcing the majority of the name servers)
while the second is very common (lying resolvers at ISP, which
redirects NXDOMAIN to ads pages). Any reasonable analysis of DNS
security should start with this problem.