[dns-operations] summary of recent vulnerabilities in DNS security.

Vernon Schryver vjs at rhyolite.com
Mon Oct 21 20:05:26 UTC 2013

> From: =?ISO-8859-1?Q?Colm_MacC=E1rthaigh?= <colm at stdlib.net>

> > On what do you base your claims about the fatal costs of DNSSEC
> > validation?
> I wrote that the costs are high, not fatal. 

I'm sure I'm not the only person who read your words as a claim
that validation should not be enabled because of those high costs.

>                                             http://dns.comcast.net/
> serves as a reasonable, though not complete, public example list of
> issues.

Everything has issues; what is your point?  Have you turned on
DNSSEC where you can?  If not, why not?

> > True, but the right question is not "Does DNSSEC add vulnerabilities?"
> > but "Overall, is DNS more or less secure with DNSSEC?" or "Among all
> > of the things I can do, what will improve the security of my users and
> > the Internet in general?"
> This thread concerns the vulnerabilities uncovered in the fragment
> attacks. One of those vulnerabilities is that domains can be rendered
> unresolvable; even when DNSSEC is enabled. That seems like something
> to take seriously.

That implication that I have suggested that the denial of service
vulnerabilities associated DNSSEC should not be taken seriously is
false.  Again, the question is not whether the availablity security
issues with DNSSEC should be taken seriously, but whether DNSSEC
is better than the alternative of no DNSSEC and perhaps relying
on port randomization.

Port randomization is an extremely thin reed for security, because
there are so few port number bits.  Random ports are like random
TCP ISNs, better than easily predicable numbers but almost but not
quite irrelevant to security.  Anyone selling random ports in place
of or as important as in-band authentication (e.g. DNSSEC) is doing
harm and has suspect motives or expertise.

> > I suspect Kaminsky got the credit because he had been contributing to
> > the field for years.  But who cares who got there first?
> Evidently Paul Vixie does. That's what I was responding to.

I assume you are familiar with the informal rules for such credit.  It
would be wrong for Paul Vixie to credit Haya Shulman with that which
was long ago credited to Kaspersky.  Paul Vixie made clear his willingness
to credit Haya Shulman with a pointer to her paper after reading it,
as well as his reluctance to pay to read it.  From her "on my website"
(paraphrased) words, I assumed it is easily found or that she would
give us a free URL.  After looking and waiting, as far as I can neither
is the case.  Also after looking, I guessed that Springer might throw
a fit if she self-published.  She could have mentioned that difficulty.

There is nothing wrong with her getting paid for that paper, although
I won't pay to read it.  I do find something unseemly in her ducking
and dodging the the question of the relative importances and
effectiveness of DNSSEC and port randomization.

> > Let's agree that ports ought to be as random as TCP ISNs, improve port
> > randomness where each of us can, and stop implying that anyone thinks
> > or says otherwise.
> O.k., but what about fragmentation point randomisation, or randomized
> DNS payload padding?

What about them?  I think I saw agreement somewhere about reducing
non-DNSSEC MTUs to help the non-DNSSEC fragmentation issue, and so I
assume those changes will be made.  I don't have an opinion about DNS
payload padding, and so won't be submitting any relevant bug reports.

Are you an NSD, Unbound, or BIND committer and if so, have you
proposed changes?  Have you submitted relevant bug reports so that
those implementations can be changed as you think appropriate?

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list