[dns-operations] AT&T DNS Cache Poisoning?

Paul Wouters paul at nohats.ca
Mon Oct 29 14:28:49 UTC 2012

On Mon, 29 Oct 2012, Florian Maury wrote:

> Alice rents Bob a server called "AMX" and uses this server as a MX for
> her domain. The MX record is configured with a TTL of 1 day and the
> record set is signed for 3 months.

The problem is right there. One does not simple sign for 3 months.
Though let's assume you mistakenly did so.

You could still use low TTLs (1h), and then perform a ZSK rollover.
The low TTLs on DNSKEY would quickly make the old ZSK used for signing
that MX record useless. Of course this assumes you also did not use
TTL=1w on the DNSKEY.

> One can tell "She should not have signed for a period that long". It's
> the eternal problem of zone survivability: the shorter the signature,
> the shorter the interval a slave server can serve data before it expires
> without signing the zone himself (which can be a problem if the slave
> server is administrated by a third party).

The slave should not sign zones. They should slave zones. A signer
should sign zones and push to the primaries. That way, nameserver
compromise is only a DoS of that name server, not an attack vector.

Anyway, this is quickly turning into an argument of "you can deploy
DNSSEC wrongly", which equally applies to other security schemes you
were comparing to DNSSEC.


More information about the dns-operations mailing list