[dns-operations] DNS .com/.net resolution problems in the Asia/Pacific region

Shane Kerr shane at time-travellers.org
Wed Jul 19 07:22:20 UTC 2023

Shumon and all,

On 18/07/2023 21.41, Shumon Huque wrote:
> On Tue, Jul 18, 2023 at 3:29 PM Viktor Dukhovni <ietf-dane at dukhovni.org 
> <mailto:ietf-dane at dukhovni.org>> wrote: 
> Yes, I agree. A resolver can't really tell that a response with an 
> expired signature wasn't an attacker trying to replay old data. For 
> robustness against attacks, it must re-query other available other 
> servers if they exist.

I kind of think that a resolver using UDP should just drop a response on 
the floor if it has an expired signature. Otherwise an attacker can 
induce behavior change by spoofing replies, which is itself a security 
problem (in this case, blocking with a response that would arrive later 
and work, effectively removing a name server from the set of name 
servers queried for a given lookup).

This idea mostly applies to UDP without DNS cookies since it is the only 
transport easily vulnerable to spoofing. With other transports you are 
much more sure that the answer actually came from the server you are 
querying, and so you can be confident that the server is giving out 
bogus answers. (TCP is vulnerable to BGP hijacking and the like, but in 
that case you would still expect to get bogus answers for subsequent 
queries to the same server.)

Unfortunately I don't think any resolvers hold onto a UDP query until 
after the DNSSEC validation. So there is not really much option other 
than to try again. 🤓


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x3732979CF967B306.asc
Type: application/pgp-keys
Size: 11519 bytes
Desc: OpenPGP public key
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230719/dddb7137/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230719/dddb7137/attachment-0001.sig>

More information about the dns-operations mailing list