[dns-operations] summary of recent vulnerabilities in DNS security.

Vernon Schryver vjs at rhyolite.com
Tue Oct 29 02:10:26 UTC 2013

> From: Haya Shulman <haya.shulman at gmail.com>

> > That claim against having "[injected] spoofed content into the DNS
> > response (despite the use of Eastlake cookies for protection)" is false
> > unless that attack was against DNS clients and servers using DNS
> > cookies, and not merely the cookies described in
> > https://tools.ietf.org/html/draft-eastlake-dnsext-cookies-03
> > but cookies in an as-yet unpublished proposal with a payload checksum.
> > Note that I thought that there are no available implementations even
> > of original flavor cookies.
> You may have missed the beginning of that discussion... Paul Vixie already
> suggested to add a CRC to protect against our fragmentation attacks, as
> well as the new attack idea that I proposed earlier in this thread, fyi:
> i expect that in consideration of your fragmentation work, he will add a
> > 32-bit CRC covering the full message to the EDNS option that contains the
> > cookie.

That does not address my point.  Did Haya Shulman test against DNS
Cookies?  If not, then the claim having "[injected] spoofed content
into the DNS response (despite the use of Eastlake cookies for
protection)" is false and at best an expression of hope that such an
attack might work.

Please note that my question about whether this latest fragmentation
attack was blind was not answered.  If it was blind, as some have
privately described their understandings, then how were UDP
checksums fixed?

> In any case, it is great that you also agree that the published proposal
> may be vulnerable and propose to use checksum to prevent those attacks.

That misrepresents my words and my position.

I am not convince that this attack differs from the previous claimed
attacks on DNS.  They all seem to be easily fixed by properly
deploying DNSSEC.  They also all seem more difficult than other,
easier attacks that achieve similar ends (bad DNS data), and
that are also thwarted by properly deployed DNSSEC.

Given the UDP checksum, I do not understand the significant protection
of adding a CRC to DNS Cookies.   DNS responses do need protection,
but that's the job of DNSSEC.  DNS Cookies have been advocated for
reducing false positives for anti-reflection mechanisms such as
RRL.  For that purpose, DNS Cookies are on DNS requests instead of
responses, and I see no good there from adding a CRC.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list