IETF Logo Mail Archive

[dnsext] draft-barwood-dnsext-fr-resolver-mitigations-03

"George Barwood" <george.barwood@blueyonder.co.uk> Sun, 12 October 2008 10:36 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 39F693A697E; Sun, 12 Oct 2008 03:36:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.902
X-Spam-Level: **
X-Spam-Status: No, score=2.902 tagged_above=-999 required=5 tests=[AWL=0.800, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_BLUEYON=1.4, HELO_MISMATCH_UK=1.749, RDNS_NONE=0.1, STOX_REPLY_TYPE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Np38lDeqSLav; Sun, 12 Oct 2008 03:36:21 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4D77A3A695F; Sun, 12 Oct 2008 03:36:21 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KoyDR-0006dL-94 for namedroppers-data@psg.com; Sun, 12 Oct 2008 10:30:25 +0000
Received: from [195.188.213.5] (helo=smtp-out2.blueyonder.co.uk) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <george.barwood@blueyonder.co.uk>) id 1KoyDM-0006cr-47 for namedroppers@ops.ietf.org; Sun, 12 Oct 2008 10:30:22 +0000
Received: from [172.23.170.143] (helo=anti-virus02-10) by smtp-out2.blueyonder.co.uk with smtp (Exim 4.52) id 1KoyDJ-00066K-9l for namedroppers@ops.ietf.org; Sun, 12 Oct 2008 11:30:17 +0100
Received: from [82.46.70.191] (helo=GeorgeLaptop) by asmtp-out5.blueyonder.co.uk with esmtpa (Exim 4.52) id 1KoyDE-0005ro-13 for namedroppers@ops.ietf.org; Sun, 12 Oct 2008 11:30:12 +0100
Message-ID: <C68EDF8B003F45D7AE4CB2A734AC61AA@localhost>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: namedroppers@ops.ietf.org
Subject: [dnsext] draft-barwood-dnsext-fr-resolver-mitigations-03
Date: Sun, 12 Oct 2008 11:30:00 +0100
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

I have revised my draft at

http://www.ietf.org/internet-drafts/draft-barwood-dnsext-fr-resolver-mitigations-03.txt

( Latest version at : 
https://datatracker.ietf.org/drafts/draft-barwood-dnsext-fr-resolver-mitigations/ )

Abstract:

   Describes mitigations against spoofing attacks on DNS, including:

   (1) Repeating the query, including techniques for handling
       non-deterministic responses.

   (2) Prepending a random nonce to the question where a referral is
       probable.

   (3) Estimating the entropy available, taking into account
      (a) Observed packets with incorrect IDs.
      (b) Records where the owner name does not match the question.
      (c) The previous content of the cache.

New is that port randomization  must not be combined with query repetition, 
and a revised treatment of
convergence of non-determistic responsese that preserves RRset integrity ( 
although this can be spoofed ).

My point of view is that cache policy ( as described by Nicholas Weaver ) is 
not the cleanest approach,
and that simple repetition, while boring, is the best approach for a general 
purpose recursive resolver.

Other tricks ( such as 0x20, port randomization, a random nonce ) can be 
used to reduce the number of
queries needed, but are not essential.

George Barwood 



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email