IETF Logo Mail Archive

Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review

Florian Weimer <fw@deneb.enyo.de> Fri, 29 May 2009 19:05 UTC

Return-Path: <fw@deneb.enyo.de>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5248D3A6FD2 for <asrg@core3.amsl.com>; Fri, 29 May 2009 12:05:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.521
X-Spam-Level:
X-Spam-Status: No, score=-1.521 tagged_above=-999 required=5 tests=[AWL=0.728, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SC6zS0xFu6EP for <asrg@core3.amsl.com>; Fri, 29 May 2009 12:05:01 -0700 (PDT)
Received: from mail.enyo.de (mail.enyo.de [212.9.189.167]) by core3.amsl.com (Postfix) with ESMTP id 704F73A7042 for <asrg@ietf.org>; Fri, 29 May 2009 12:03:42 -0700 (PDT)
Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de) by mail.enyo.de with esmtp id 1MA7OE-0003Be-Kl for asrg@ietf.org; Fri, 29 May 2009 21:05:14 +0200
Received: from fw by deneb.enyo.de with local (Exim 4.69) (envelope-from <fw@deneb.enyo.de>) id 1MA7OE-0005Pn-A4 for asrg@ietf.org; Fri, 29 May 2009 21:05:14 +0200
From: Florian Weimer <fw@deneb.enyo.de>
To: asrg@ietf.org
References: <003d01c9dd01$bf3531d0$800c6f0a@china.huawei.com> <4A1A45BA.5030704@swin.edu.au> <3be421270905250718y5d62f6d5odb6f2bebecf418d0@mail.gmail.com> <6684E747-55CB-4BB3-B838-9F4FE906AFE7@mail-abuse.org> <200905251603.MAA16221@Sparkle.Rodents-Montreal.ORG> <CCE0A3E1-4BCB-460C-AEA0-6548BB4AE8FE@mail-abuse.org> <4A1D64C9.5060505@tana.it> <47BC2197-472E-4615-97D2-F7E42B8F3B7D@mail-abuse.org>
Date: Fri, 29 May 2009 21:05:14 +0200
In-Reply-To: <47BC2197-472E-4615-97D2-F7E42B8F3B7D@mail-abuse.org> (Douglas Otis's message of "Wed, 27 May 2009 10:57:29 -0700")
Message-ID: <87d49rraqd.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2009 19:05:02 -0000

* Douglas Otis:

>> Just using TCP would prevent most of the DNS poisoning attacks that
>> Amir's paper reports.
>
> TCP is prone to DDoS attack.

Only when implemented naively.  If the client does not split the query
into two packets or artificially lowers the window size, you can
answer it without creating any state.

The argument against TCP is not the protocol.  It's just that you have
to upgrade both authoritative servers and resolvers to make it work
well.

v2.23.0 | Report a Bug | By Email