Re: Online signing (was: Evaluating DNSSEC transition mechanisms)
Roy Arends <roy@dnss.ec> Fri, 11 June 2004 08:38 UTC
Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA07131 for <dnsext-archive@lists.ietf.org>; Fri, 11 Jun 2004 04:38:02 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 4.34 (FreeBSD)) id 1BYhUi-000GX2-LT for namedroppers-data@psg.com; Fri, 11 Jun 2004 08:34:36 +0000
Received: from [213.154.224.1] (helo=open.nlnetlabs.nl) by psg.com with esmtp (Exim 4.34 (FreeBSD)) id 1BYhUg-000GWj-Ma for namedroppers@ops.ietf.org; Fri, 11 Jun 2004 08:34:35 +0000
Received: from elektron.atoom.net (f52166.upc-f.chello.nl [80.56.52.166]) by open.nlnetlabs.nl (8.12.11/8.12.11) with ESMTP id i5B8YQ9m080498; Fri, 11 Jun 2004 10:34:27 +0200 (CEST) (envelope-from roy@dnss.ec)
Received: from elektron.atoom.net (localhost [127.0.0.1]) by elektron.atoom.net (8.12.11/8.12.11/Debian-3) with ESMTP id i5B8YLMZ005594; Fri, 11 Jun 2004 10:34:21 +0200
Received: from localhost (roy@localhost) by elektron.atoom.net (8.12.11/8.12.11/Debian-3) with ESMTP id i5B8YL1W005591; Fri, 11 Jun 2004 10:34:21 +0200
X-Authentication-Warning: elektron.atoom.net: roy owned process doing -bs
Date: Fri, 11 Jun 2004 10:34:21 +0200
From: Roy Arends <roy@dnss.ec>
X-X-Sender: roy@elektron.atoom.net
To: Roy Badami <roy@gnomon.org.uk>
cc: namedroppers@ops.ietf.org
Subject: Re: Online signing (was: Evaluating DNSSEC transition mechanisms)
In-Reply-To: <16585.664.987120.394778@giles.gnomon.org.uk>
Message-ID: <Pine.LNX.4.58.0406111021380.2889@elektron.atoom.net>
References: <20040603161757.2c386dd7.olaf@ripe.net> <Pine.OSX.4.60.0406100932520.5571@criollo.schlyter.se> <a06020431bcee2fb29e74@[192.136.136.83]> <40C88D07.3040700@algroup.co.uk> <Pine.OSX.4.60.0406102133430.14544@criollo.schlyter.se> <Pine.LNX.4.58.0406102148580.2889@elektron.atoom.net> <16585.664.987120.394778@giles.gnomon.org.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Virus-Scanned: by amavisd-new
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on psg.com
X-Spam-Status: No, hits=-4.5 required=5.0 tests=AWL,BAYES_00,RCVD_IN_SORBS autolearn=no version=2.63
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
On Fri, 11 Jun 2004, Roy Badami wrote: > As a slight aside, if I were architecting such a system from scratch, > I'd be inclined to consider combining it with Bloom filters, and only > signing denials where there was a collision in the Bloom filter -- in > other cases the Bloom filter itself could be used to prove > non-existence. > > I'm reasonably confident that the combination of these two measures > would make the computational overhead of online signing a non-issue > for a normal query load, and they'd remove the concerns of offline > dictionary attacks. Whether or not they'd be adequate to deal with > DoS scenarios is less obvious to me... > > I realize we're in radio silence about the details of DNSSECter, so I > don't want to get into a detailed discussion about this idea. I > mention it only because I haven't seen such an idea mentioned, and if > we're seriously considering online signing then it's worth bearing in > mind the possible shapes that a DNSSECter based on online signing > might take to help inform the current extensibility analysis... Bloom filters in DNSSEC is not new. SMB introduced them: www.research.att.com/~smb/papers/draft-bellovin-dnsext-bloomfilt-00.txt The combination with ad-hoc signing of synthesised NSEC where otherwise it would have been a false positive is new. Anyway, I think crypto acceleration cards ops/sec are currently faster then a DNSSEC capable aparatus can serve in q/sec. I hope the assumptions one might have about a crypto-driven DDoS attack is hereby tuned to a non-issue. Roy -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Evaluating DNSSEC transition mechanisms Jakob Schlyter
- Re: Evaluating DNSSEC transition mechanisms Roy Arends
- Re: Evaluating DNSSEC transition mechanisms Roy Arends
- Re: Evaluating DNSSEC transition mechanisms Edward Lewis
- Re: Online signing Roy Arends
- Re: Evaluating DNSSEC transition mechanisms Edward Lewis
- Re: Evaluating DNSSEC transition mechanisms Derek Atkins
- Online signing (was: Evaluating DNSSEC transition… Roy Badami
- Re: Online signing (was: Evaluating DNSSEC transi… Roy Arends
- Re: Online signing Alex Bligh
- Re: Online signing Paul Vixie
- Re: Evaluating DNSSEC transition mechanisms Paul Vixie
- Re: Evaluating DNSSEC transition mechanisms Ben Laurie
- Re: Evaluating DNSSEC transition mechanisms Jakob Schlyter
- Re: Online signing Francis Dupont
- Re: Online signing Ben Laurie