Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
David Conrad <drc@virtualized.org> Mon, 11 August 2008 22:53 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ABF493A6CE3; Mon, 11 Aug 2008 15:53:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.597
X-Spam-Level:
X-Spam-Status: No, score=-3.597 tagged_above=-999 required=5 tests=[AWL=0.540, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SVM6YxHn9H3X; Mon, 11 Aug 2008 15:53:21 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9FB083A6CC1; Mon, 11 Aug 2008 15:53:21 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KSgBq-000KKY-P1 for namedroppers-data@psg.com; Mon, 11 Aug 2008 22:48:38 +0000
Received: from [204.152.189.190] (helo=virtualized.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <drc@virtualized.org>) id 1KSgBn-000KKB-7b for namedroppers@ops.ietf.org; Mon, 11 Aug 2008 22:48:37 +0000
Received: from [10.0.1.199] (c-71-198-3-247.hsd1.ca.comcast.net [71.198.3.247]) by virtualized.org (Postfix) with ESMTP id CE73B2CE911; Mon, 11 Aug 2008 15:48:34 -0700 (PDT)
Cc: 'Namedroppers WG' <namedroppers@ops.ietf.org>
Message-Id: <940FDC7A-9D3C-4ACE-9518-4BCBC86403B0@virtualized.org>
From: David Conrad <drc@virtualized.org>
To: "Jesper G. Høy" <jesper@jhsoft.com>
In-Reply-To: <028c01c8fbfb$e44131a0$acc394e0$@com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v928.1)
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Date: Mon, 11 Aug 2008 15:48:34 -0700
References: <48875934.8080101@links.org> <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org> <20080723183227.GA11957@outpost.ds9a.nl> <028601c8f185$eeb51b90$cc1f52b0$@com> <F64EF155F05968A001280C7B@Ximines.local> <028a01c8f18c$7f6bb620$7e432260$@com> <572015C3F44995F54736D38B@Ximines.local> <029401c8f196$c5822bd0$50868370$@com> <489F0F8E.6020607@gis.net> <021101c8fb13$34634310$9d29c930$@com> <B5457C05-D2EA-4A31-94AB-84807AC62843@virtualized.org> <028c01c8fbfb$e44131a0$acc394e0$@com>
X-Mailer: Apple Mail (2.928.1)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
Jesper, On Aug 11, 2008, at 2:47 PM, Jesper G. Høy wrote: > 4 billion packets may not be enough - we need a longer transaction ID. Or, we could remove the vulnerability by protecting the data, not the transport. > <quote> > The core problem with the Kaminsky bug, and other cache poisoning > scenarios, > is the short 16 bit transaction ID. No. The core problem with the Kaminsky bug is the fact that DNS data is unprotected during transport. Making the transaction ID bigger reduces the chance of an blind insertion spoof attack, but does nothing for an interception spoof attack where the attacker is in the DNS data path. Your XTID proposal is one of a class that treats the symptoms, not the underlying disease. DNSSEC is one of a class that treats the disease. In a DNSSEC-enabled world, it wouldn't matter where you got the response from or what zombie-laden networks the response traversed, you would be able to validate the response hadn't been tampered with. That isn't to say that I don't think XTID et al shouldn't be considered and even implemented if they improve the status quo, but it solves a subset of the problems DNSSEC solves and as such, one has to consider whether it is superfluous, particularly as XTID (appears to) require a redeployment of both authoritative and caching servers, just like DNSSEC (and if you're going to redeploy, you're probably going to be redeploying something that is DNSSEC-capable). > But DNSSEC was not invented to fix the Kaminsky bug (the topic of this > thread). Actually, it was. Not the Kaminsky bug specifically of course, but the entire class of bugs that revolve around modifying DNS data in transit. > I do think it is fair to ask that other possibilities at least be > considered > before applying something as complex as DNSSEC to this fairly simple > problem > (short transaction ID). First, I am unaware of anyone even suggesting that other possibilities not be considered. On the contrary, I seem to recall pretty much everyone clamoring for an alternative that provides the same level of protection as DNSSEC albeit with less {development,operational,infrastructure} cost. Second, the problem isn't that the transaction ID is too short. The short transaction ID exacerbates the problem by allowing remote insertion spoofing particularly when additional section processing comes into play. The real problem is that the DNS protocol was developed during a time when "be liberal in what you accept" was a good idea and when nobody would intentionally muck up network data for illicit gain. Times have changed. Regards, -drc -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- How do we get the whole world to upgrade to DNSSE… Ben Laurie
- Re: How do we get the whole world to upgrade to D… Alex Bligh
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… Ted Lemon
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… Brian Dickson
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Jelte Jansen
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Brian Dickson
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Andrew Sullivan
- Re: How do we get the whole world to upgrade to D… Jelte Jansen
- Re: How do we get the whole world to upgrade to D… Roy Arends
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Stephane Bortzmeyer
- Re: How do we get the whole world to upgrade to D… Brian Dickson
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Matthijs Mekking
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… bmanning
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- RE: How do we get the whole world to upgrade to D… Alex Bligh
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- RE: How do we get the whole world to upgrade to D… Alex Bligh
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- Re: How do we get the whole world to upgrade to D… Jelte Jansen
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Michael StJohns
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Tony Finch
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Edward Lewis
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Dean Anderson
- Re: How do we get the whole world to upgrade to D… Ray.Bellis
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… David W. Hankins
- Re: How do we get the whole world to upgrade to D… Jim Fenton
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Ted Lemon
- Re: How do we get the whole world to upgrade to D… Ted Lemon
- Re: How do we get the whole world to upgrade to D… Duane at e164 dot org
- Re: How do we get the whole world to upgrade to D… Paul Vixie
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Alex Bligh
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Duane at e164 dot org
- Re: Kaminsky, Cache Poisoning, and Censorship Brian Dickson
- A note of apology (Was: Kaminsky, Cache Poisoning… Andrew Sullivan
- Re: Kaminsky, Cache Poisoning, and Censorship Dean Anderson
- Kaminsky, Cache Poisoning, and Censorship Dean Anderson
- Re: A note of apology (Was: Kaminsky, Cache Poiso… Dean Anderson