IETF Logo Mail Archive

Re: [BEHAVE] DNS64 validation

"Dan Wing" <dwing@cisco.com> Thu, 30 July 2009 08:38 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 99B5428C1A7 for <behave@core3.amsl.com>; Thu, 30 Jul 2009 01:38:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dblh5eSKr0MN for <behave@core3.amsl.com>; Thu, 30 Jul 2009 01:37:59 -0700 (PDT)
Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id 9AA1E28C17D for <behave@ietf.org>; Thu, 30 Jul 2009 01:37:59 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApsEAAP5cEpAZnmf/2dsb2JhbACLDa4diCeQFwWEEYFO
X-IronPort-AV: E=Sophos;i="4.43,294,1246838400"; d="scan'208";a="52278674"
Received: from rtp-dkim-2.cisco.com ([64.102.121.159]) by rtp-iport-1.cisco.com with ESMTP; 30 Jul 2009 08:38:00 +0000
Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n6U8c0nf030624; Thu, 30 Jul 2009 04:38:00 -0400
Received: from dwingwxp01 ([10.21.72.10]) by rtp-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id n6U8bw7q005783; Thu, 30 Jul 2009 08:37:59 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Simon Perreault' <simon.perreault@viagenie.ca>
References: <4A703A8A.6060204@viagenie.ca> <20090729163826.GC9895@shinkuro.com> <07db01ca10e2$578c5b70$5f7d150a@cisco.com> <4A714828.5060901@viagenie.ca> <0a5301ca10ea$0db0c240$5f7d150a@cisco.com> <4A7157C0.7010309@viagenie.ca>
Date: Thu, 30 Jul 2009 10:37:55 +0200
Message-ID: <0a8501ca10f1$0b961b70$5f7d150a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcoQ7p1AXBpZEV4wQ3aSpVWE+g9LZQAAj17w
In-Reply-To: <4A7157C0.7010309@viagenie.ca>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=829; t=1248943080; x=1249807080; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[BEHAVE]=20DNS64=20validation |Sender:=20 |To:=20=22'Simon=20Perreault'=22=20<simon.perreault@viageni e.ca>; bh=2jaaLfaOEv66U7Pv28z/svooPY41ZuT6kb8YIHRFOqQ=; b=n+WHGmZRXD4brpg8GVTOJh6K1/CT6bKtBuQdo5V1FUKJ9qeiI22BuFnaAu ZXTUg/QqkwNB/XsbDtaCK1KsCGZO/z5mf6nszFKBFcSB1+N1co1pLA8bZ0FP 0rj3c/xU/b;
Authentication-Results: rtp-dkim-2; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
Cc: 'Andrew Sullivan' <ajs@shinkuro.com>, behave@ietf.org
Subject: Re: [BEHAVE] DNS64 validation
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2009 08:38:00 -0000

> Dan Wing wrote:
> > I am assuming there is a way for an attacker to cause a 
> > negative AAAA 
> > response to be received by the DNS64.  If we have the DNS64 
> > return an 
> > error (to the DNS client) when the negative AAAA doesn't 
> > validate, the 
> > IPv6-only host cannot establish a connection to the server.
> 
> How is this different from sending an invalid A response?
>
> How is this different from regular DNSSEC in general? In 
> particular, see
> RFC4035 section 4.7 for ways to mitigate this DoS. See also the
> following quote from RFC4033 section 12:
> 
> "DNSSEC does not protect against denial of service attacks."
> 
> DISCLAIMER: I'm not sure I'm right. I'm just asking questions.

I don't know.  What is gained by validating a negative AAAA,
other than exercising DNSSEC?

-d

v2.23.0 | Report a Bug | By Email