IETF Logo Mail Archive

DNS is broken, and by extension so is RMX (Re: [Asrg] Re: RMX Records)

Adam Back <adam@cypherspace.org> Tue, 04 March 2003 19:25 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA06429 for <asrg-archive@odin.ietf.org>; Tue, 4 Mar 2003 14:25:27 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h24Ja3106317 for asrg-archive@odin.ietf.org; Tue, 4 Mar 2003 14:36:03 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h24Ja2506314 for <asrg-web-archive@optimus.ietf.org>; Tue, 4 Mar 2003 14:36:02 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA06410; Tue, 4 Mar 2003 14:24:55 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h24JW2506201; Tue, 4 Mar 2003 14:32:02 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h24JVD506171 for <asrg@optimus.ietf.org>; Tue, 4 Mar 2003 14:31:13 -0500
Received: from mercury.ex.ac.uk (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA06281 for <asrg@ietf.org>; Tue, 4 Mar 2003 14:20:06 -0500 (EST)
Received: from [144.173.6.20] (helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 4.12) id 18qHzH-00Ca6A-00; Tue, 04 Mar 2003 19:22:03 +0000
From: Adam Back <adam@cypherspace.org>
To: Roland <list-asrg@openrbl.org>
Cc: ASRG <asrg@ietf.org>
Subject: DNS is broken, and by extension so is RMX (Re: [Asrg] Re: RMX Records)
Message-ID: <20030304192202.A4358597@exeter.ac.uk>
References: <20030304000807.A4309027@exeter.ac.uk> <20030304092839.GA1965@danisch.de> <courier.3E647F38.0000EC37@msgid.vqx.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.2.2i
In-Reply-To: <courier.3E647F38.0000EC37@msgid.vqx.net>; from list-asrg@openrbl.org on Tue, Mar 04, 2003 at 10:26:00AM +0000
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Tue, 04 Mar 2003 19:22:02 +0000

On Tue, Mar 04, 2003 at 10:26:00AM +0000, Roland wrote:
> Hadmut Danisch wrote:
> > Fixing the security problems of 
> > DNS is the task of another IETF working group. We shouldn't try
> > to improve the whole world, but focus on spam.
> 
> Bulkers need to spew out millions of mails, they would need to poison
> thausands of nameservers which is simply not feasible.

I think you are have not looked at DNS security issues.  It is far
easier to exploit and the cost can be amortized over many messages.
Read the paper I quoted:

http://www.securityfocus.com/guest/17905

It summarises a many of the known vulnerabilities and shows the
limitations to what an implementation can do without changing the
protocol.

On the risks associated with DNS security for the RMX application,
consider:

a) the sender knows when the SMTP server will make the DNS request (he
just injected the mail) so he can send a flurry of DNS UDP response
packets to arrive before the real response;

b) the sender can choose the TTL on his forged DNS response, making it
last for weeks;

c) during this time he can spam at full volume.

> Such harmful manipulations are already covered by the laws in many
> countries, and there are more secure alternatives to bind available.

I don't see law being any significant barrier to spam.  There are too
many jurisdictions, too many opportunities for spammers to hide their
identities, and too much money involved for it to be a deterrent; and
anyway introducing laws into internet protocols invites hamfisted
politicians to introduces laws generally to the detriment of internet
users who are still poorly represented.

Hadmut claims this is not a problem because we can leave fixing DNS to
the IETF:

> Fixing the security problems of DNS is the task of another IETF
> working group. We shouldn't try to improve the whole world, but
> focus on spam.

but basing a supposed fix on a heavily broken protocol, with no known
solution without replacing the entire protocol, and big deployment
problems in doing that in a backwards compatible way, and a long
history of failure to deploy DNSSEC a backwards compatible and
incremental improvement introduces more problems than it fixes.

I think the deployment path is the most difficult challenge of
anti-spam measures.  Adding a dependency on another hard tech problem
with a yet unsolved deployment path doesn't solve the problem.

Adam
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.23.0 | Report a Bug | By Email