[dns-operations] Massive DNS poisoning attacks in Brazil

Vernon Schryver vjs at rhyolite.com
Wed Oct 3 05:01:07 UTC 2012 

> From: Mark Andrews <marka at isc.org>

> Which is just a matter of adding a secure/insecure flag to struct
> addrinfo which is defined to be extended.  ai_flags is currently
> undefined on return[1], but it could be used to return whether the
> answer was secure or not.  Application that care would check.

Which applications would care?  What's the useful difference to real
applications or users of real applications amoung:
  - "no answer because firewalls are blocking stuff that offends 
      those with the power to block"
  - "no answer because a key has expired"
  - "no answer because a man in the middle is forging sguff"
  - "no answer because the Intertubes are leaking"

The ancient gethostbyname h_errno results of no error, HOST_NOT_FOUND,
and TRY_AGAIN give all applications more than enough information.
(Yes, I know of additional possibilities from h_errno.)
(More than enough, because almost all applications can use
only a boolean "worked/apparently failed hard".)

The green, blue, grey, and technicolor browser badges have done no
good except for people angling for junkets to security conferences and
sellers of new goodhousekeeping seals of approval to replace the old
seals that *always* turn out in practice to be without technical merit
and are ignored by users.

There were far too many ways for classic DNS to fail (not to mention
YP/NIS and other name services that run with DNS) to distill into an
errno.  DNSSEC compounds the DNS failure modes.  The DNSSEC failures
that are most important can only be fixed in the layers above 7, and
users can, should, and will only report "the Internet is broken again."


> BIND 9 has shipped with a API for looking up arbitary rrsets for a
> decade now, getrrsetbyname(), and it returns whether the rrset was
> secure or not.

That and equivalent are fine for the diagnostic tools that 0.1% of
users will try, whose diagnoses will be reported accurately by 0.01%
of users to someone who might fix something, and whose diagnoses
will be understood by 0.001% of users.


Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list