IETF Logo Mail Archive

Re: Online signing (was: Evaluating DNSSEC transition mechanisms)

Roy Arends <roy@dnss.ec> Fri, 11 June 2004 08:38 UTC

Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA07131 for <dnsext-archive@lists.ietf.org>; Fri, 11 Jun 2004 04:38:02 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 4.34 (FreeBSD)) id 1BYhUi-000GX2-LT for namedroppers-data@psg.com; Fri, 11 Jun 2004 08:34:36 +0000
Received: from [213.154.224.1] (helo=open.nlnetlabs.nl) by psg.com with esmtp (Exim 4.34 (FreeBSD)) id 1BYhUg-000GWj-Ma for namedroppers@ops.ietf.org; Fri, 11 Jun 2004 08:34:35 +0000
Received: from elektron.atoom.net (f52166.upc-f.chello.nl [80.56.52.166]) by open.nlnetlabs.nl (8.12.11/8.12.11) with ESMTP id i5B8YQ9m080498; Fri, 11 Jun 2004 10:34:27 +0200 (CEST) (envelope-from roy@dnss.ec)
Received: from elektron.atoom.net (localhost [127.0.0.1]) by elektron.atoom.net (8.12.11/8.12.11/Debian-3) with ESMTP id i5B8YLMZ005594; Fri, 11 Jun 2004 10:34:21 +0200
Received: from localhost (roy@localhost) by elektron.atoom.net (8.12.11/8.12.11/Debian-3) with ESMTP id i5B8YL1W005591; Fri, 11 Jun 2004 10:34:21 +0200
X-Authentication-Warning: elektron.atoom.net: roy owned process doing -bs
Date: Fri, 11 Jun 2004 10:34:21 +0200
From: Roy Arends <roy@dnss.ec>
X-X-Sender: roy@elektron.atoom.net
To: Roy Badami <roy@gnomon.org.uk>
cc: namedroppers@ops.ietf.org
Subject: Re: Online signing (was: Evaluating DNSSEC transition mechanisms)
In-Reply-To: <16585.664.987120.394778@giles.gnomon.org.uk>
Message-ID: <Pine.LNX.4.58.0406111021380.2889@elektron.atoom.net>
References: <20040603161757.2c386dd7.olaf@ripe.net> <Pine.OSX.4.60.0406100932520.5571@criollo.schlyter.se> <a06020431bcee2fb29e74@[192.136.136.83]> <40C88D07.3040700@algroup.co.uk> <Pine.OSX.4.60.0406102133430.14544@criollo.schlyter.se> <Pine.LNX.4.58.0406102148580.2889@elektron.atoom.net> <16585.664.987120.394778@giles.gnomon.org.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Virus-Scanned: by amavisd-new
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on psg.com
X-Spam-Status: No, hits=-4.5 required=5.0 tests=AWL,BAYES_00,RCVD_IN_SORBS autolearn=no version=2.63
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk

On Fri, 11 Jun 2004, Roy Badami wrote:

> As a slight aside, if I were architecting such a system from scratch,
> I'd be inclined to consider combining it with Bloom filters, and only
> signing denials where there was a collision in the Bloom filter -- in
> other cases the Bloom filter itself could be used to prove
> non-existence.
>
> I'm reasonably confident that the combination of these two measures
> would make the computational overhead of online signing a non-issue
> for a normal query load, and they'd remove the concerns of offline
> dictionary attacks.  Whether or not they'd be adequate to deal with
> DoS scenarios is less obvious to me...
>
> I realize we're in radio silence about the details of DNSSECter, so I
> don't want to get into a detailed discussion about this idea.  I
> mention it only because I haven't seen such an idea mentioned, and if
> we're seriously considering online signing then it's worth bearing in
> mind the possible shapes that a DNSSECter based on online signing
> might take to help inform the current extensibility analysis...

Bloom filters in DNSSEC is not new. SMB introduced them:
 www.research.att.com/~smb/papers/draft-bellovin-dnsext-bloomfilt-00.txt

The combination with ad-hoc signing of synthesised NSEC where
otherwise it would have been a false positive is new.

Anyway, I think crypto acceleration cards ops/sec are currently faster
then a DNSSEC capable aparatus can serve in q/sec.

I hope the assumptions one might have about a crypto-driven DDoS attack
is hereby tuned to a non-issue.


Roy

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email