[dns-operations] resolvers considered harmful

David Conrad drc at virtualized.org
Wed Oct 22 19:47:07 UTC 2014


Mark,

On Oct 22, 2014, at 12:18 PM, Mark Allman <mallman at icir.org> wrote:
>>> Why not just turn on DNSSEC?
>> Important zones are still unsigned, so I can understand why there is a
>> desire for altenative solutions.
> 
> Right.  It isn't like we are lacking for ways to solve the problems we
> know about.  E.g., we know how to mitigate the Kaminsky attack.  But,
> yet, still there are plenty of vulnerable resolvers (per our PAM paper
> From this past spring).  

It might be the case that a good proportion of those vulnerable resolvers (e.g., the stupid CPE that responds to DNS queries on their WAN ports) are actually already following your proposal.

> E.g., we know how to secure DNS records with
> crypto.  But, yet, broadly speaking we don't do it.  So, perhaps we need
> to re-think things.

As I understand it, you're proposing pushing the resolvers out to the edges (something I'm in favor of), however if you're not doing DNSSEC at the edges, won't those edge caches still be vulnerable to cache poisoning attack?  Granted, the impact would be less than in the case of a shared resolver, but a shared resolver probably has more folks watching to detect the attack and is more likely to be operated by someone with clue...

Regards,
-drc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141022/d0437ec0/attachment.sig>


More information about the dns-operations mailing list