RE: Forgery Resistance phase #2
Jesper G. Høy <jesper@jhsoft.com> Tue, 29 July 2008 13:34 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3193928C2CE; Tue, 29 Jul 2008 06:34:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.195
X-Spam-Level:
X-Spam-Status: No, score=-0.195 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VWbaYtCf64QZ; Tue, 29 Jul 2008 06:34:03 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4B50728C2E1; Tue, 29 Jul 2008 06:34:02 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KNpGT-00010z-2I for namedroppers-data@psg.com; Tue, 29 Jul 2008 13:29:21 +0000
Received: from [204.9.75.100] (helo=kansas.jhsoft.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <jesper@jhsoft.com>) id 1KNpGO-00010U-4H for namedroppers@ops.ietf.org; Tue, 29 Jul 2008 13:29:18 +0000
Received: from hemsen by kansas.jhsoft.com (MDaemon PRO v9.6.2) with ESMTP id md50000105072.msg for <namedroppers@ops.ietf.org>; Tue, 29 Jul 2008 13:29:15 +0000
From: "Jesper G. Høy" <jesper@jhsoft.com>
To: 'Ólafur Guðmundsson /DNSEXT chair' <ogud@ogud.com>, namedroppers@ops.ietf.org
References: <200807281555.m6SFsxAO021711@stora.ogud.com>
In-Reply-To: <200807281555.m6SFsxAO021711@stora.ogud.com>
Subject: RE: Forgery Resistance phase #2
Date: Tue, 29 Jul 2008 15:28:21 +0200
Message-ID: <027b01c8f17e$f99b0a80$ecd11f80$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcjwztzlQtIeU0NpQEa+RPu1D7Oa5gAr0JIA
Content-Language: en-us
X-Authenticated-Sender: jesper@jhsoft.com
X-MDRemoteIP: 87.56.149.202
X-Return-Path: jesper@jhsoft.com
X-Envelope-From: jesper@jhsoft.com
X-MDaemon-Deliver-To: namedroppers@ops.ietf.org
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
I think my XQID suggestion (http://www.jhsoft.com/dns-xqid.htm), which by the way seems like a even better idea in light of the Kaminsky bug, is somewhere in your list already. But I would be very interested to learn more about the other items. Could you possibly expand the list with some links to more details on the other ideas? Thanks, Jesper > -----Original Message----- > From: owner-namedroppers@ops.ietf.org [mailto:owner- > namedroppers@ops.ietf.org] On Behalf Of Ólafur Guðmundsson /DNSEXT > chair > Sent: Monday, July 28, 2008 5:54 PM > To: namedroppers@ops.ietf.org > Subject: Forgery Resistance phase #2 > > > This message is sent in my role as chair with consent of my co-chair > but without > his editing help, thus any mistakes in this message are mine and only > mine. > > The large volume of message over the last 2 weeks related to how to > make DNS > safer made me think about "what are all the different possible > approaches?" > Below is a list of ideas I have heard mentioned or thought off. > > The list is supposed to be as complete as possible, if there is > anything > missing feel free to bring it up. > Some of the ideas are stupid or do not make sense but are documented > here > for sake of completeness. > Deployment of some of these ideas can be done real soon, others require > extensive software upgrades. The final solution selection may include > more than > one ideas below as there is frequently not just one solution. > > The goal of this email is that the WG is in a position to know that it > is > selecting from a "complete set" of solutions When/IF the WG (or DNSOP > WG) > decides that it should attempt to document/recommend more approaches > than > what was covered in the FR-draft. > > Covered in FR draft: > Query ID > Source Port > Source Address > > Randomness possibilities that originators have: > Destination Address [1] > Case games (like x20) > Multiple identical questions [5] > Repeat question [6] > Spread question to number of nameservers. [7] > Delay question [8] > Time spaced repeated questions [9] > "random" TCP query [11] > > > What Destinations can do to increase protection: > More addresses: [10] > DNSSEC > > Protections that require both parties collaboration: > TSIG > DNS cookies > TKEY + TSIG/SIG(0) > SIG(0) Destination Protocol/port [2] > Query name hacks (pre and post fixes) [3] > EDNS ECHO [4] > QCount > 1 [14] > QClass top bit 8 redefinition [13] > IPsec tunnels [12] > IPv6 preference [15] > > Steps that resolvers can take to protect them self: > Forgery Detection > and react to forgery attempts. > > Steps that Operators of Authorative servers/zone owners can take: > Deploy only current software > Deploy DNSSEC > Update ACL rules to reflect current recommended DNS port usage. > > Comments: > [1] Destination Address: Many implementations go to first name server > in an > NS set all the time, some go to the one they know is closest or > go > to the one that they know has answered a query in the past, one > they > have an A record for, etc. > From security point of view always selecting a random server is > the > best one. From an operating point of view this may/will cause > more > delays/errors. For high availability zones with short names > having > large NS sets is an possible source of randomness for example "." > has > 13 A address this adds 3.5 bits of randomness for resolvers that > use > random selection. By expanding this to randomly select IPv4 and > IPv6 > as transport for query another bit can be added. > > [2] Destination Port: Another potential source for randomness is to > reserve > 4 - 16 ports that DNS servers MUST listen on. 16 ports add 4 bits > of > randomness. > > [3] This relates to adding <foo.bar>.QNAME in query section or > QNAME.<foo-bar> or even if QNAME is a.b.c to do > a.<foo-bar>.b.c or a.b.<foo-bar>.c > <foo.bar> is in this case has a known prefix in the first label > that is registered with IANA so people can avoid it, > if <foo-bar> is multiple labels the first label should encode > how many bytes or labels to strip. > > [4] EDNS Echo: A simple option to EDNS that instructs a server to copy > back > this option in the answer or the answer is not to be trusted. > The contents of the option is random data unique to the query. > > [5] In this case a resolver fires a number of identical questions off > and > expects to get the same number of identical answers. > > [6] In this case the resolver repeats the question after getting an > answer, > it expects an identical answer. > > [7] Spread question to a number of nameservers/recursive resolvers, > expects to get back identical answers from all. > > [8] Here the resolver waits for a short random time before sending the > question but it is listening for answers from the time it forms > the question. > This is to detect forgery attack before sending the question. > > [9] In this case the resolver sends queries that are spaced in time > and it expects the answers to come back in the same order as sent > the > time between second and subsequent answers should approximate > the transmission time. > > [10] More designation addresses, larger NS sets potentially offer more > protection as the client has more addresses to choose from. > > [11] TCP queries are controversial as they require more state and > overhead. > Over the last few years we have seen TCP stacks optimized for > handling > large number of TCP connections thus the assumptions for not > using TCP > for DNS should be reexamined and requiring TCP port to be > available on > authorative servers will allow clients to fall back on TCP in > specified situations. > > [12] IPSEC: this is an option when there is strong relationship between > two > DNS entities, it is not clear how applicable this it is in the > random > resolver talking to random server. > > [13] Right now about 4 classes are defined in the IANA registry. Use > and deployment > of new classes is difficult to say the least. For this reason it > is tempting > to steal some of these unusable bits into help protect the > protocol. > The proposal is to redefine the top 8 bits into a QID and servers > would > ignore these bits when checking class answer but echo them back > in the > answer's QCLASS. > > [14] QCOUNT > 1 is currently not allowed but could be used to add > randomness to > the query if the second query is ignored in the answer processing > but is copied into the answer. There are number of different > possibilities > in how the randomness is expressed in the: label, QCLASS, QTYPE > or all. > > [15] IPv6 preference for queries, A resolver can cycle through many > privacy address to increase source address randomization. > > > Sorry for the lack of attributions in this posting, if/when this > becomes an > an ID that will be fixed. > > Olafur > > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: <http://ops.ietf.org/lists/namedroppers/> -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- RE: Forgery Resistance phase #2 Jesper G. Høy
- Forgery Resistance phase #2 Ólafur Guðmundsson /DNSEXT chair
- Re: Forgery Resistance phase #2 Alex Bligh
- Re: Forgery Resistance phase #2 Paul Hoffman
- Re: Forgery Resistance phase #2 Olafur Gudmundsson
- XQID (Re: Forgery Resistance phase #2 ) Paul Vixie
- Re: XQID (Re: Forgery Resistance phase #2 ) Jelte Jansen
- Re: XQID (Re: Forgery Resistance phase #2 ) Paul Vixie
- Re: XQID (Re: Forgery Resistance phase #2 ) Jelte Jansen
- Re: XQID (Re: Forgery Resistance phase #2 ) Paul Vixie
- Re: XQID (Re: Forgery Resistance phase #2 ) bert hubert