DNS is broken, and by extension so is RMX (Re: [Asrg] Re: RMX Records)
Adam Back <adam@cypherspace.org> Tue, 04 March 2003 19:25 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA06429 for <asrg-archive@odin.ietf.org>; Tue, 4 Mar 2003 14:25:27 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h24Ja3106317 for asrg-archive@odin.ietf.org; Tue, 4 Mar 2003 14:36:03 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h24Ja2506314 for <asrg-web-archive@optimus.ietf.org>; Tue, 4 Mar 2003 14:36:02 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA06410; Tue, 4 Mar 2003 14:24:55 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h24JW2506201; Tue, 4 Mar 2003 14:32:02 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h24JVD506171 for <asrg@optimus.ietf.org>; Tue, 4 Mar 2003 14:31:13 -0500
Received: from mercury.ex.ac.uk (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA06281 for <asrg@ietf.org>; Tue, 4 Mar 2003 14:20:06 -0500 (EST)
Received: from [144.173.6.20] (helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 4.12) id 18qHzH-00Ca6A-00; Tue, 04 Mar 2003 19:22:03 +0000
From: Adam Back <adam@cypherspace.org>
To: Roland <list-asrg@openrbl.org>
Cc: ASRG <asrg@ietf.org>
Subject: DNS is broken, and by extension so is RMX (Re: [Asrg] Re: RMX Records)
Message-ID: <20030304192202.A4358597@exeter.ac.uk>
References: <20030304000807.A4309027@exeter.ac.uk> <20030304092839.GA1965@danisch.de> <courier.3E647F38.0000EC37@msgid.vqx.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.2.2i
In-Reply-To: <courier.3E647F38.0000EC37@msgid.vqx.net>; from list-asrg@openrbl.org on Tue, Mar 04, 2003 at 10:26:00AM +0000
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Tue, 04 Mar 2003 19:22:02 +0000
On Tue, Mar 04, 2003 at 10:26:00AM +0000, Roland wrote: > Hadmut Danisch wrote: > > Fixing the security problems of > > DNS is the task of another IETF working group. We shouldn't try > > to improve the whole world, but focus on spam. > > Bulkers need to spew out millions of mails, they would need to poison > thausands of nameservers which is simply not feasible. I think you are have not looked at DNS security issues. It is far easier to exploit and the cost can be amortized over many messages. Read the paper I quoted: http://www.securityfocus.com/guest/17905 It summarises a many of the known vulnerabilities and shows the limitations to what an implementation can do without changing the protocol. On the risks associated with DNS security for the RMX application, consider: a) the sender knows when the SMTP server will make the DNS request (he just injected the mail) so he can send a flurry of DNS UDP response packets to arrive before the real response; b) the sender can choose the TTL on his forged DNS response, making it last for weeks; c) during this time he can spam at full volume. > Such harmful manipulations are already covered by the laws in many > countries, and there are more secure alternatives to bind available. I don't see law being any significant barrier to spam. There are too many jurisdictions, too many opportunities for spammers to hide their identities, and too much money involved for it to be a deterrent; and anyway introducing laws into internet protocols invites hamfisted politicians to introduces laws generally to the detriment of internet users who are still poorly represented. Hadmut claims this is not a problem because we can leave fixing DNS to the IETF: > Fixing the security problems of DNS is the task of another IETF > working group. We shouldn't try to improve the whole world, but > focus on spam. but basing a supposed fix on a heavily broken protocol, with no known solution without replacing the entire protocol, and big deployment problems in doing that in a backwards compatible way, and a long history of failure to deploy DNSSEC a backwards compatible and incremental improvement introduces more problems than it fixes. I think the deployment path is the most difficult challenge of anti-spam measures. Adding a dependency on another hard tech problem with a yet unsolved deployment path doesn't solve the problem. Adam _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- Re: [Asrg] Re: RMX Records Derek J. Balling
- [Asrg] Re: RMX Records Daniel Feenberg
- Re: [Asrg] Re: RMX Records Hadmut Danisch
- Re: [Asrg] domain specific DNS blacklists (or whi… wayne
- Re: [Asrg] domain specific DNS blacklists (or whi… Roland
- [Asrg] Re: RMX Records Adam Back
- Re: [Asrg] Re: RMX Records Hadmut Danisch
- Re: [Asrg] Re: RMX Records Roland
- DNS is broken, and by extension so is RMX (Re: [A… Adam Back
- Re: [Asrg] Re: RMX Records Adam Back
- Re: [Asrg] Re: RMX Records Hadmut Danisch
- Re: [Asrg] Re: RMX Records Vernon Schryver
- RE: [Asrg] Re: RMX Records Gary Feldman
- [Asrg] Re: RMX Records Peter A. Friend
- Re: [Asrg] Re: RMX Records Vernon Schryver
- RE: [Asrg] Re: RMX Records Vernon Schryver
- Re: [Asrg] Re: RMX Records Hadmut Danisch
- Re: [Asrg] Re: RMX Records Derek J. Balling
- RE: [Asrg] Re: RMX Records Gary Feldman
- Re: [Asrg] Re: RMX Records Dr. Jeffrey Race
- Re: [Asrg] Re: RMX Records Alan DeKok
- False positives (was Re: [Asrg] Re: RMX Records) David F. Skoll
- Re: False positives (was Re: [Asrg] Re: RMX Recor… Kee Hinckley
- RE: [Asrg] Re: RMX Records Vernon Schryver
- Re: [Asrg] Re: RMX Records Vernon Schryver
- Re: [Asrg] Re: RMX Records Troy Rollo
- Re: [Asrg] Re: RMX Records Derek J. Balling
- Re: [Asrg] Re: RMX Records Vernon Schryver
- Re: [Asrg] Re: RMX Records Troy Rollo
- RE: [Asrg] Re: RMX and DS Records Gordon Fecyk - Home
- Re: [Asrg] Re: RMX Records Hadmut Danisch
- Fwd: Re: [Asrg] Re: RMX Records Dr. Jeffrey Race
- Re: False positives (was Re: [Asrg] Re: RMX Recor… David F. Skoll
- Re: False positives (was Re: [Asrg] Re: RMX Recor… Matt Sergeant
- Re: False positives (was Re: [Asrg] Re: RMX Recor… David F. Skoll
- Re: False positives (was Re: [Asrg] Re: RMX Recor… Matt Sergeant
- Re: [Asrg] Re: RMX Records Chris Lewis
- Re: [Asrg] Good versus bad (was Re: RMX Records ) Alan DeKok
- Re: False positives (was Re: [Asrg] Re: RMX Recor… Alan DeKok
- [Asrg] Re: False Positives Peter A. Friend
- Re: [Asrg] Good versus bad (was Re: RMX Records ) Chris Lewis
- Re: False positives (was Re: [Asrg] Re: RMX Recor… David F. Skoll
- Re: [Asrg] Good versus bad (was Re: RMX Records ) David F. Skoll
- Re: False positives (was Re: [Asrg] Re: RMX Recor… Terry Carmen
- Re: False positives (was Re: [Asrg] Re: RMX Recor… David F. Skoll
- Re: False positives (was Re: [Asrg] Re: RMX Recor… Chris Lewis
- Re: False positives (was Re: [Asrg] Re: RMX Recor… Eric S. Johansson
- Re: [Asrg] Good versus bad (was Re: RMX Records ) Chris Lewis
- Re: False positives (was Re: [Asrg] Re: RMX Recor… Chris Lewis
- Re: False positives (was Re: [Asrg] Re: RMX Recor… Kee Hinckley
- Re: False positives (was Re: [Asrg] Re: RMX Recor… abuse
- Re: False positives (was Re: [Asrg] Re: RMX Recor… Kee Hinckley
- Re: False positives (was Re: [Asrg] Re: RMX Recor… abuse
- Re: False positives (was Re: [Asrg] Re: RMX Recor… abuse
- Re: False positives (was Re: [Asrg] Re: RMX Recor… Eric S. Johansson
- Re: False positives (was Re: [Asrg] Re: RMX Recor… Wilson Roberto Afonso