Re: Why *can* cached DNS replies be overwritten?
Olafur Gudmundsson <ogud@ogud.com> Tue, 12 August 2008 00:40 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA8553A6E07; Mon, 11 Aug 2008 17:40:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.482
X-Spam-Level: *
X-Spam-Status: No, score=1.482 tagged_above=-999 required=5 tests=[AWL=-1.677, BAYES_40=-0.185, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1j1u-3BMnvex; Mon, 11 Aug 2008 17:40:14 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id CFB8E3A6E18; Mon, 11 Aug 2008 17:40:13 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KShq3-0004bU-Ar for namedroppers-data@psg.com; Tue, 12 Aug 2008 00:34:15 +0000
Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <ogud@ogud.com>) id 1KShpz-0004az-Fa for namedroppers@psg.com; Tue, 12 Aug 2008 00:34:13 +0000
Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.2/8.14.2) with ESMTP id m7C0WqNc078602; Mon, 11 Aug 2008 20:32:53 -0400 (EDT) (envelope-from ogud@ogud.com)
Message-Id: <200808120032.m7C0WqNc078602@stora.ogud.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 11 Aug 2008 20:32:48 -0400
To: "Jay R. Ashworth" <jra@baylink.com>, namedroppers@psg.com
From: Olafur Gudmundsson <ogud@ogud.com>
Subject: Re: Why *can* cached DNS replies be overwritten?
In-Reply-To: <20080811190427.GD9082@cgi.jachomes.com>
References: <20080811190427.GD9082@cgi.jachomes.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.64 on 10.20.30.4
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
At 15:04 11/08/2008, Jay R. Ashworth wrote:
>[ cross-posted from NANOG, cause vix told me to :-)
>
>On Mon, Aug 11, 2008 at 11:20:07AM -0400, Leo Bicknell wrote:
> > If your vendor told you that you are not at risk they are wrong,
> > and need to go re-read the Kaminski paper. EVERYONE is vunerable,
> > the only question is if the attack takes 1 second, 1 minute, 1 hour
> > or 1 day. While possibly interesting for short term problem
> > management none of those are long term fixes. I'm not sure your
> > customers care when .COM is poisoned if it took the attacker 1
> > second or 1 day.
>
>Correct me if I'm wrong, Leo, but your assertion turns on the fact that
>the server will accept an overwriting cache entry for something it
>already has cacheed, does it not?
>
>Do djb and Power in fact do that?
>
>If they don't, the window of opportunity to poison something like .com
>is limited to the period between when that entry expires from the local
>server's cache and the next time it hears a reply -- which will be the
>time after that expiry when someone next requests a .com name; IE
>almost immediately, no?
>
>Everyone seems to continue asking "why can poisoning overwrite already
>cached answer" and no one seems to be answering, and, unless I'm a
>moron (which is not impossible), that's the crux of this issue.
>
>Cheers,
>-- jra
>--
<no-hat>
The cynical answer is "optimization" the real answer is
"trying to be helpful".
What most/all implementations are doing is assuming that "newer" data
is better if it has the same criticality [RFC2181], this takes two forms:
if the data is identical to the existing one, the TTL on the set is extended.
If the data is different the old data is replaced.
Personally I think we need to sit down and analyze this carefully if
we are better of by outlawing/discouraging this behavior and have all
RRsets expire after the original TTL expires or do something else.
One proposal is to use the "Authority Section data for the question
being asked" and then ask a direct query to fetch the data inserted into the
Authority section data and overwrite that with the data from Answer
section which should have higher criticality than the stuff from Authority
Section and this should prevent overwrites. (This is strictly/almost
a protocol change)
The effect of not overwriting/stretching TTL on RRsets is that
an attacker can only poison the set of their choice once in a
while (depends on the RRset TTL and the cache's memory constraints).
<char-hat=on>
What the overall effect is going to be if caches changed this
behavior is debatable but conducting few experiments would be real
useful. Both in seeing if anything in resolution break as well as
see if this helps prevent acceptance of forgeries.
At the same time the WG should look into other approaches in this and
related spaces.
Comments
Olafur
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: Why *can* cached DNS replies be overwritten? Olafur Gudmundsson
- Why *can* cached DNS replies be overwritten? Jay R. Ashworth
- Re: Why *can* cached DNS replies be overwritten? bert hubert
- RE: Why *can* cached DNS replies be overwritten? Antoin Verschuren
- Dealing with the NS RRSet [Re: Why *can* cached D… Peter Koch
- Re: Dealing with the NS RRSet [Re: Why *can* cach… Tony Finch
- Re: Dealing with the NS RRSet [Re: Why *can* cach… Florian Weimer
- Re: Why *can* cached DNS replies be overwritten? Paul Vixie
- Re: Dealing with the NS RRSet [Re: Why *can* cach… Peter Koch
- Re: Dealing with the NS RRSet [Re: Why *can* cach… Tony Finch