[dns-operations] Another whitepaper on DDOS

Mike Jones mike at mikejones.in
Tue Feb 26 21:36:42 UTC 2013


On 26 February 2013 19:45, Tony Finch <dot at dotat.at> wrote:
> Vernon Schryver <vjs at rhyolite.com> wrote:
>> > From: Tony Finch <dot at dotat.at>
>> >
>> > In addition to vjs's points, note that DNSSEC makes theft of a domain
>> > even more visible because it is likely to cause horrible breakage for
>> > validating users.
>>
>> I didn't mention those alarms, because I assumed the domain was
>> stolen at the registrar or in the registry so that glue and DS
>> records would be corrected by the adversary.
>
> I assumed that too :-) It's a common problem (see Educause recently...)
>
> The problem occurs because it is likely for caches to contain different
> parts of the validation chain (DS from parent, DNSKEYs and RRSIGs from
> child) from before and after the hack.

What if you add your server to the delegation, and either leave one of
their servers in the list or clone their zone and host that on a
separate server? Resolvers with the old keys cached will only take
answers from the old servers. Resolvers that have refreshed and got
the new keys will only take answers from the new servers. This gives
you a 'transition period' where you can't attack everyone yet, but you
should be able to selectively attack the ones that have the new key
set without causing any disruption to ones that don't.

Does that idea sound viable? I would like to pre-empt anyone calling
this a flaw with DNSSEC though as DNSSEC is not meant to protect
against someone who can submit new keys for your domain.

- Mike



More information about the dns-operations mailing list