[dns-operations] Akamai now works with ENT (Empty Non-Terminals)?
Shumon Huque
shuque at gmail.com
Wed Apr 17 20:15:47 UTC 2019
On Wed, Apr 17, 2019 at 2:33 PM Jon Reed <jreed at akamai.com> wrote:
> On Wed, 17 Apr 2019, Dave Lawrence wrote:
> > Beyond that, the other modes needed their own attention from
> > developers and things got cleaned up a lot. I don't know what the
> > current status is, as I've been gone from Akamai for over a year now,
> > but I believe they've got only just a few rarely-encountered edge
> > cases where ENTs could be a problem now. Perhaps Jon could comment if
> > they've hit 100% yet.
>
> We're not quite at 100%, there are still some problems with a few of less
> common modes, but there's work underway to fix them. But we're close
> enough that I'd feel comfortable embracing another flag day around RFC
> 8020, for example.
That would be nice. Despite being an author of RFC 8020, I might be
hesitant to recommend *unilateral* embrace of RFC 8020 though. Besides
the potential incorrect ENT response issue, there is a concern that 8020 can
amplify the effect of DNS spoofing by allowing an adversary to prune out a
large subtree of the DNS in one go, rather than individual nodes. If DNSSEC
was omnipresent, there would of course be no concern, but I'm not sure we
will ever be there. This issue is described in the Security Considerations
of
the RFC, where one possible implementation suggestion is to do this only
when the NXDOMAIN response can be authenticated with DNSSEC.
Note that recent versions of Unbound already implement RFC 8020 by default,
but as described above, only for authenticated NXDOMAIN responses. The
other
probable reason this might be a good strategy is that signed zones will
most likely
get ENT responses correct, for reasons already discussed previously in this
thread. The Unbound configuration knob is called "harden-below-nxdomain". I
am not currently aware of any other resolvers that implement 8020, but would
be happy to be educated.
Incidentally, the upcoming DNS-OARC workshop has a Flag Day panel scheduled,
and one of the questions they will ask is what to do for the next flag day.
Feel free
to propose this!
https://indico.dns-oarc.net/event/31/contributions/678/
Shumon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190417/caaa37af/attachment.html>
More information about the dns-operations
mailing list