IETF Logo Mail Archive

Re: [dnsext] My Final Thoughts/Conclusions for forgery resistance...

"George Barwood" <george.barwood@blueyonder.co.uk> Mon, 17 November 2008 17:28 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7084F3A688F; Mon, 17 Nov 2008 09:28:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.101
X-Spam-Level: **
X-Spam-Status: No, score=2.101 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_BLUEYON=1.4, HELO_MISMATCH_UK=1.749, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3XdixglrtdUr; Mon, 17 Nov 2008 09:28:32 -0800 (PST)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 864F63A677C; Mon, 17 Nov 2008 09:28:32 -0800 (PST)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1L27ns-0005fw-4U for namedroppers-data@psg.com; Mon, 17 Nov 2008 17:22:24 +0000
Received: from [195.188.213.5] (helo=smtp-out2.blueyonder.co.uk) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <george.barwood@blueyonder.co.uk>) id 1L27nn-0005fc-52 for namedroppers@ops.ietf.org; Mon, 17 Nov 2008 17:22:21 +0000
Received: from [172.23.170.138] (helo=anti-virus01-09) by smtp-out2.blueyonder.co.uk with smtp (Exim 4.52) id 1L27ni-0007fI-Nl for namedroppers@ops.ietf.org; Mon, 17 Nov 2008 17:22:14 +0000
Received: from [82.46.70.191] (helo=GeorgeLaptop) by asmtp-out1.blueyonder.co.uk with esmtpa (Exim 4.52) id 1L27ni-00015V-6d for namedroppers@ops.ietf.org; Mon, 17 Nov 2008 17:22:14 +0000
Message-ID: <9187E7D8A19847D5A1875292AF70CA9D@localhost>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: IETF DNSEXT WG <namedroppers@ops.ietf.org>
References: <9E33EF1C-A466-4AAC-903D-9B9D1AD8B6C1@icsi.berkeley.edu>
Subject: Re: [dnsext] My Final Thoughts/Conclusions for forgery resistance...
Date: Mon, 17 Nov 2008 17:22:11 -0000
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

> c)  If there is no intersection between the returned RRSets, generate  a 
> THIRD query:
> c1)  If two of the three responses have overlap on the returned  RRSets, 
> accept and return the intersection of the two RRSets
> c2)  If there is no overlap between all three RRSets, DO NOT cache any 
> value, return a randomly selected one of the responses with TTL=0.

This last (c2) implies that when port randomization is unavailable,
protection may be only 16 bits.

It seems more logical to repeat until suitable protection is obtained, at
least for "essential" resource record sets. This is entirely practical, I
have been testing such a resolver now for more than a month with no
problems. I describe this in more detail in my draft

http://www.ietf.org/internet-drafts/draft-barwood-dnsext-fr-resolver-mitigations-08.txt
https://datatracker.ietf.org/drafts/draft-barwood-dnsext-fr-resolver-mitigations/

Generally I agree that repetition is fundamental, although I prefer to
formulate it in a more general way.

It needs some programming effort to implement, but does work perfectly well.



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email