[dns-operations] Kaminsky: Protect IP Act Would Break DNS

Joe Greco jgreco at ns.sol.net
Sat Jul 16 15:09:48 UTC 2011

> On Jul 16, 2011, at 7:29 PM, Joe Greco wrote:
> > If we remain married to this idea of centralized control over recursion, that control is going to remain a tempting target for policymakers who
> > want to impose a fix for their Big Problem Of The Day. 
> I don't think that politicians wish to exert control over Internet 
> behaviors because they understand that aggregated recursion points 
> in the DNS are somewhat helpful in this regard.  I think they wish 
> to exert control over Internet behaviors irrespective of technical/
> architectural considerations, and that if not DNS, the injection 
> of more-specific prefixes in the routing table, mandated proxies, 
> et. al. will serve their ends just as well.

However, those solutions are much more fraught with peril.  When
you start interfering with IP addresses, for example, even assuming
you could inject a v4 /32, you may take down a whole slew of sites
unrelated to what you are attempting to target.  This may be fine
for people who have opted in to a filtering service, but is not too
likely to be acceptable to many as a forced policy.  This will be
less and less practical with v4 going forward, and is already not
practical with v6, unless hosting providers are willing to only
assign contiguous blocks to customers, which seems unlikely.  The
Australian filter is reportedly a mere 10,000 sites, but that's
going to grow.  What service provider is going to want to burn
large numbers of route table entries or filter rules on this?

> With regards to distributed recursion, the argument could be made 
> that the great increase the number of clients which authoritative 
> servers must deal with on a regular basis would not necessarily 
> be a welcome development, and that this model would add more 
> complexity to clients which will complicate support and perhaps 
> lend itself to exploitation by attackers.
> I'm not saying that I'm necessarily opposed to more distributed 
> recursion, but that it's probably a good idea to ensure we 
> understand all the implications prior to pushing for change in 
> this regard.

Are your average authoritative servers actually stressed out by the
level of traffic?

I'm not talking about GoDaddy's, Tucows, Yahoo!, or Google.  Those 
guys are getting paid or making money handling traffic.  I'm talking
the average site with authoritative servers, which I do realize is
on the decline.

For example, ours are running like this:

bind   86270  0.0  1.1 11976 11184  ??  S    25Feb10 1225:10.13 /sbin/named

21 hours of CPU in a year and a half.  Our recurser is hit a hundred
times as hard, at least as measured by CPU time.

The number of clients authoritative servers have been dealing with 
have been increasing steadily for many years.  Any move towards more 
distributed recursion wouldn't be a flag day event, and would instead
be a very gradual transition.

Security concerns are a good question.  No denying that.  However, we
continue to see example after example of how putting all our eggs in a
small number of baskets is bad.

In the end, I guess I'm just puzzled as to why the immediate conclusion
of a bunch of smart guys writing a letter was that recursion would be
pushed further away, rather than pulled closer to the client.  It could
go either way.  With the explosion of advances in CPU and storage, we
could (and maybe should) be seeing more things moved closer to the user.

... JG
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the dns-operations mailing list