IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

David Conrad <drc@virtualized.org> Mon, 11 August 2008 22:53 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ABF493A6CE3; Mon, 11 Aug 2008 15:53:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.597
X-Spam-Level:
X-Spam-Status: No, score=-3.597 tagged_above=-999 required=5 tests=[AWL=0.540, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SVM6YxHn9H3X; Mon, 11 Aug 2008 15:53:21 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9FB083A6CC1; Mon, 11 Aug 2008 15:53:21 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KSgBq-000KKY-P1 for namedroppers-data@psg.com; Mon, 11 Aug 2008 22:48:38 +0000
Received: from [204.152.189.190] (helo=virtualized.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <drc@virtualized.org>) id 1KSgBn-000KKB-7b for namedroppers@ops.ietf.org; Mon, 11 Aug 2008 22:48:37 +0000
Received: from [10.0.1.199] (c-71-198-3-247.hsd1.ca.comcast.net [71.198.3.247]) by virtualized.org (Postfix) with ESMTP id CE73B2CE911; Mon, 11 Aug 2008 15:48:34 -0700 (PDT)
Cc: 'Namedroppers WG' <namedroppers@ops.ietf.org>
Message-Id: <940FDC7A-9D3C-4ACE-9518-4BCBC86403B0@virtualized.org>
From: David Conrad <drc@virtualized.org>
To: "Jesper G. Høy" <jesper@jhsoft.com>
In-Reply-To: <028c01c8fbfb$e44131a0$acc394e0$@com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v928.1)
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Date: Mon, 11 Aug 2008 15:48:34 -0700
References: <48875934.8080101@links.org> <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org> <20080723183227.GA11957@outpost.ds9a.nl> <028601c8f185$eeb51b90$cc1f52b0$@com> <F64EF155F05968A001280C7B@Ximines.local> <028a01c8f18c$7f6bb620$7e432260$@com> <572015C3F44995F54736D38B@Ximines.local> <029401c8f196$c5822bd0$50868370$@com> <489F0F8E.6020607@gis.net> <021101c8fb13$34634310$9d29c930$@com> <B5457C05-D2EA-4A31-94AB-84807AC62843@virtualized.org> <028c01c8fbfb$e44131a0$acc394e0$@com>
X-Mailer: Apple Mail (2.928.1)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

Jesper,

On Aug 11, 2008, at 2:47 PM, Jesper G. Høy wrote:
> 4 billion packets may not be enough - we need a longer transaction ID.

Or, we could remove the vulnerability by protecting the data, not the  
transport.

> <quote>
> The core problem with the Kaminsky bug, and other cache poisoning  
> scenarios,
> is the short 16 bit transaction ID.

No.  The core problem with the Kaminsky bug is the fact that DNS data  
is unprotected during transport.  Making the transaction ID bigger  
reduces the chance of an blind insertion spoof attack, but does  
nothing for an interception spoof attack where the attacker is in the  
DNS data path.  Your XTID proposal is one of a class that treats the  
symptoms, not the underlying disease.  DNSSEC is one of a class that  
treats the disease.  In a DNSSEC-enabled world, it wouldn't matter  
where you got the response from or what zombie-laden networks the  
response traversed, you would be able to validate the response hadn't  
been tampered with.

That isn't to say that I don't think XTID et al shouldn't be  
considered and even implemented if they improve the status quo, but it  
solves a subset of the problems DNSSEC solves and as such, one has to  
consider whether it is superfluous, particularly as XTID (appears to)  
require a redeployment of both authoritative and caching servers, just  
like DNSSEC (and if you're going to redeploy, you're probably going to  
be redeploying something that is DNSSEC-capable).

> But DNSSEC was not invented to fix the Kaminsky bug (the topic of this
> thread).

Actually, it was.  Not the Kaminsky bug specifically of course, but  
the entire class of bugs that revolve around modifying DNS data in  
transit.

> I do think it is fair to ask that other possibilities at least be  
> considered
> before applying something as complex as DNSSEC to this fairly simple  
> problem
> (short transaction ID).

First, I am unaware of anyone even suggesting that other possibilities  
not be considered.  On the contrary, I seem to recall pretty much  
everyone clamoring for an alternative that provides the same level of  
protection as DNSSEC albeit with less  
{development,operational,infrastructure} cost.

Second, the problem isn't that the transaction ID is too short.  The  
short transaction ID exacerbates the problem by allowing remote  
insertion spoofing particularly when additional section processing  
comes into play.  The real problem is that the DNS protocol was  
developed during a time when "be liberal in what you accept" was a  
good idea and when nobody would intentionally muck up network data for  
illicit gain.  Times have changed.

Regards,
-drc


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email