Re: [DNSOP] Should root-servers.net be signed

"George Barwood" <george.barwood@blueyonder.co.uk> Sat, 20 March 2010 16:11 UTC

Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 648A83A68E9 for <dnsop@core3.amsl.com>; Sat, 20 Mar 2010 09:11:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.57
X-Spam-Level: ***
X-Spam-Status: No, score=3.57 tagged_above=-999 required=5 tests=[AWL=-0.014, BAYES_20=-0.74, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_BLUEYON=1.4, MIME_BASE64_BLANKS=0.041, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SW1+InkZ1iZR for <dnsop@core3.amsl.com>; Sat, 20 Mar 2010 09:11:36 -0700 (PDT)
Received: from smtp-out3.blueyonder.co.uk (smtp-out3.blueyonder.co.uk [195.188.213.6]) by core3.amsl.com (Postfix) with ESMTP id BE7933A6AE5 for <dnsop@ietf.org>; Sat, 20 Mar 2010 09:11:25 -0700 (PDT)
Received: from [172.23.170.141] (helo=anti-virus02-08) by smtp-out3.blueyonder.co.uk with smtp (Exim 4.52) id 1Nt1Gy-0006Qo-Oq; Sat, 20 Mar 2010 16:11:36 +0000
Received: from [92.238.99.235] (helo=GeorgeLaptop) by asmtp-out1.blueyonder.co.uk with esmtpa (Exim 4.52) id 1Nt1Gy-00053T-8K; Sat, 20 Mar 2010 16:11:36 +0000
Message-ID: <E112694D643B490B98B27F6014E1E021@localhost>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost><0E169711-92DC-4AEA-AA81-718F298D1645@hopcount.ca><alpine.LSU.2.00.1003081614480.1897@hermes-2.csi.cam.ac.uk><A2D7C5EE-9937-4529-A28F-23296485A8B2@hopcount.ca><43FC3F50679F458A869F99D72ECD1237@localhost><20100309151726.GC5108@dul1mcmlarson-l1-2.local> <6C56581E-D4F4-4A49-A3B4-CB7F1CF42E29@icsi.berkeley.edu> <183BEF785A9844F186558A87848A6698@localhost> <061F30F4-E0EE-40E6-A54D-246D9E9A9D77@ICSI.Berkeley.EDU> <6D6F580F8CFB4DB5AB32566FB608088D@localhost> <57BC5F21-B1EE-4D06-BB1B-3DC8582D0D87@ICSI.Berkeley.EDU> <03CF4A3B5B374C4C858DEEB2D66C0702@localhost> <AA116C2A-CCFC-4177-A43A-B3AA066B3C3C@ICSI.Berkeley.EDU> <7F872C0CAA544F9480BF49438AAFA3BF@localhost> <68584293-648A-4F4E-8731-785E8F4D38B7@ICSI.Berkeley.EDU> <662061674DB34DB395F519F52B0C4C35@localhost> <9B17C765-036B-40BD-B05A-E1A3E4582D91@ICSI.Berkeley.EDU> <A919A34B654541468475464F0C794962@localhost> <DB12142D-3A84-42AA-BEB0-844328AC5D28@ICSI.Berkeley.EDU>
Date: Sat, 20 Mar 2010 16:11:29 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5843
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Cc: dnsop@ietf.org, Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Mar 2010 16:11:38 -0000

----- Original Message ----- 
From: "Nicholas Weaver" <nweaver@ICSI.Berkeley.EDU>
To: "George Barwood" <george.barwood@blueyonder.co.uk>
Cc: "Nicholas Weaver" <nweaver@ICSI.Berkeley.EDU>; <dnsop@ietf.org>
Sent: Saturday, March 20, 2010 2:26 PM
Subject: Re: [DNSOP] Should root-servers.net be signed



On Mar 20, 2010, at 1:50 AM, George Barwood wrote:
>>> Enshrining "tho shalt never fragment" into the Internet Architecture is dangerous, and will cause far MORE problems. Having something which >>regularly exercises fragmentation as critical to the infrastructure and we wouldn't have this problem where 10% of the resolvers are broken WRT >>fragmentation.
>> 
>> I'm not suggesting that. If the higher level protocol has definite security checks, or security is not important,
>> fragmentation is ok. But for DNSSEC neither of these is true.

>Then what you're arguing here is don't request stuff with DO unless you are willing to validate.  Given the exercise of DO requesting is done (the >firewalls have figured it out), drop DO on unvalidated traffic, don't drop fragmentation.

What I'm suggesting is that there is currently a real security problem (worse than Kaminsky),
and the most practical way to fix it is for servers not to send UDP responses that will fragment. 
For example, the recently signed UK zone, which is an immediate concern for me.

There is no practical reduction in performance for zones that mostly issue referrals. 
Normal responses will easily fit into 1450 byte packets for sensible key sizes ( actually much
less - about 800 bytes should be sufficient, maybe a bit more during key rollover ).