[dns-operations] summary of recent vulnerabilities in DNS security.

Paul Vixie paul at redbarn.org
Sun Oct 20 19:26:33 UTC 2013 

Haya Shulman wrote:
>
> On Sat, Oct 19, 2013 at 9:21 PM, Paul Vixie <paul at redbarn.org
> <mailto:paul at redbarn.org>> wrote:
>
>     by this, do you mean that you have found a fragmentation based
>     attack that works against DNSSEC?
>
> [...]

i interpreted your answer to my question as "no", since every
counter-example you cited was a case where dnssec was used improperly.

>     by this, do you mean that if DNSSEC is widely deployed, your other
>     recommendations are unnecessary?
>
>
> [...]

i interpreted your answer to my question as "no", since every
counter-example you cited was a case where dnssec was used improperly.
most importantly, the lack of signed delegations and signed glue is by
design, and is not a weakness in dnssec, since the only remaining
vulnerability is denial of service, of which there are many other (and
easier) methods.

>
>
>     in 2008, we undertook the short term (five years now)
>     countermeasure of source port randomization, in order to give us
>     time to deploy DNSSEC. if five years made no difference, and if
>     more short term countermeasures are required, then will another
>     five years be enough? perhaps ten years? exactly how long is a
>     "short term" expected to be?
>
>     for more information, see:
>
>     http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/
>
>
> Thanks, you summarised this very nicely. I'd like to bring it to your
> attention that, in contrast to other sections, you did not cite our
> work explicitly, in a section where you describe our fragmentation
> based attacks (please add it).

i'd have to read your published work before i could cite it. can you
tell me where to find it online, outside any paywall or other
restrictions? note that i'll be happy to respond, with citations, since
your work is so topical.

> ... I believe that five years is not a significant time frame in terms
> of the future of the Internet. So, IMHO it may be the case that
> further countermeasures may be required.

i believe that if we can't make a significant difference in the
resiliency and quality of core internet infrastructure after 16 years,
then we wasted our time. and i know that if five more years wasn't
enough, then fifty years would also not be enough. as an industry we
must at some point either declare victory and stop creating lower
quality counter-measures which add complexity, or we must declare
failure and stop expecting dnssec to help with any problems we might
discover in the existing system.

we can't realistically or credibly have it both ways.

> BTW, port randomisation prevents a number of attacks (not only cache
> poisoning) and so is useful even when DNSSEC is fully deployed and
> validated.

i'd like to hear more about this. at the moment i have no picture in my
head of "not only cache poisoning" when i think of the prevention
offered by source port randomization.

vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131020/7fb913c1/attachment.html>

More information about the dns-operations mailing list