Re: [dnsext] DS digest downgrade

Joe Abley <jabley@hopcount.ca> Tue, 22 March 2011 16:50 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 336B328C13D for <dnsext@core3.amsl.com>; Tue, 22 Mar 2011 09:50:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vsqVKmEmBD2L for <dnsext@core3.amsl.com>; Tue, 22 Mar 2011 09:50:37 -0700 (PDT)
Received: from monster.hopcount.ca (monster.hopcount.ca [IPv6:2001:4900:1:392:213:20ff:fe1b:3bfe]) by core3.amsl.com (Postfix) with ESMTP id DF88728C12E for <dnsext@ietf.org>; Tue, 22 Mar 2011 09:50:36 -0700 (PDT)
Received: from [199.212.90.17] (helo=dh17.r1.hopcount.ca) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from <jabley@hopcount.ca>) id 1Q24oR-0006jH-2P; Tue, 22 Mar 2011 16:52:07 +0000
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <201103221551.p2MFpgEY010280@givry.fdupont.fr>
Date: Tue, 22 Mar 2011 12:52:06 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <6AD2683C-BC01-4AC9-BF9C-3FC03EC93DC7@hopcount.ca>
References: <201103221551.p2MFpgEY010280@givry.fdupont.fr>
To: Francis Dupont <Francis.Dupont@fdupont.fr>
X-Mailer: Apple Mail (2.1084)
X-SA-Exim-Connect-IP: 199.212.90.17
X-SA-Exim-Mail-From: jabley@hopcount.ca
X-SA-Exim-Scanned: No (on monster.hopcount.ca); SAEximRunCond expanded to false
Cc: Derek Atkins <warlord@MIT.EDU>, dnsext@ietf.org
Subject: Re: [dnsext] DS digest downgrade
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2011 16:50:38 -0000

On 2011-03-22, at 11:51, Francis Dupont wrote:

> In your previous mail you wrote:
> 
>   Unfortunately the validator can only validate what it receives; there's
>   often not a way for it to know what it should expect to receive.
> 
> => this opens the door to DoS attacks but as far as I know
> no more.

I think that door was already open. If you can spoof a secure delegation response to a client, surely you can also spoof an NXDOMAIN or a SERVFAIL.


Joe