[dns-operations] Massive DNS poisoning attacks in Brazil

[Mark Andrews]

In message <alpine.LSU.2.00.1210031456160.1469 at hermes-1.csi.cam.ac.uk>, Tony Fi
nch writes:
> Vernon Schryver <vjs at rhyolite.com> wrote:
> > Tony Finch <dot at dotat.at> wrote:
> > > Paul Vixie <paul at redbarn.org> wrote:
> > > >
> > > > in <http://www.ietf.org/mail-archive/web/dnsext/current/msg11700.html> 
> i
> > > > was thinking that we'd add "send chain" as an edns option, and then add
> >
> > > I like this plan.
> >
> > All of those DNS tunneling, triggering, alternate port, and other
> > varient protocol schemes for dealing with hotels and public access
> > points attacks on DNS are either unnecessary in the long run or depend
> > on practically no one ever using them.
> 
> You are right about dicking around with port numbers and TLS or HTTP
> framing. However the "send chain" EDNS option would be a widely useful
> operation for validating stubs.
> 
> A stub validator could perhaps send DS and DNSKEY queries for all the
> truncated versions of the name between the target name and the root, which
> it would have to do concurrently to avoid latency pain, but then it will
> have to iterate this to deal with CNAME and/or DNAME chains. The recursor
> has already done all the work so it would be nice to get all the results
> back in one go.
> 
> Tony.

You very soon run into message size limits which is one of the
reasons we don't send DNSKEY as additional data today.

There is no need for this option.  Just open a TCP connection and
send the series of DNSKEY and DS queries required to validate the
answer assuming there is delegation between each label.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org