Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Nicholas Weaver <> Fri, 13 March 2015 20:07 UTC

Return-Path: <nweaver@ICSI.Berkeley.EDU>
Received: from localhost ( []) by (Postfix) with ESMTP id E85F61A013B for <>; Fri, 13 Mar 2015 13:07:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.012
X-Spam-Status: No, score=-0.012 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e6dZhVCWWIDV for <>; Fri, 13 Mar 2015 13:07:44 -0700 (PDT)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU []) by (Postfix) with ESMTP id 4C50E1A002F for <>; Fri, 13 Mar 2015 13:07:44 -0700 (PDT)
Received: from localhost (localhost.localdomain []) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 3FBF02C4069; Fri, 13 Mar 2015 13:07:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([]) by localhost (maihub.ICSI.Berkeley.EDU []) (amavisd-new, port 10024) with LMTP id 6BMn52YzcfxS; Fri, 13 Mar 2015 13:07:43 -0700 (PDT)
Received: from ( []) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id B471E2C4008; Fri, 13 Mar 2015 13:07:43 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_6CEF09F7-CB35-42B5-B354-EFF461213704"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5b5
From: Nicholas Weaver <>
In-Reply-To: <>
Date: Fri, 13 Mar 2015 13:07:43 -0700
Message-Id: <>
References: <> <> <> <> <> <>
To: Morizot Timothy S <>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <>
Cc: "" <>, Nicholas Weaver <>
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 13 Mar 2015 20:07:46 -0000

> On Mar 13, 2015, at 10:21 AM, Morizot Timothy S <> wrote:
> It’s been steadily increasing for years now and gives me an idea what percentage of the US public is protected against certain types of attacks involving our zones. DNSSEC validation is not a panacea, but in a layered approach toward combating fraud and certain sorts of attacks, it does provide a particular sort of protection not available through any other means. Whether or not ISPs sign their authoritative zones matters much less to us than whether or not they implement DNSSEC validation on their recursive nameservers. And that’s not a failure at all. By the measure above (which isn’t perfect, but the best one available) roughly a fifth to a quarter of the US public, the primary consumers of our zones, exclusively use validating nameservers. That’s significant. Would I like to see it higher? Sure. But I’ll take it.

The problem is validation by the recursive resolver is nearly useless for security, but one heck of an effective DOS attack (NASA, HBO, etc)...

Lets look at what real world attacks on DNS are.

a:  Corrupt the registrar.  DNSSEC do any good?  Nope.

b:  Corrupt the traffic in-flight (on-path or in-path).  DNSSEC do any good?  Only if the attacker is not on the path for the final traffic, but just the DNS request.

c:  The recursive resolver lies.  Why would you trust it to validate?

d:  The NAT or a device between the recursive resolver and the user lies.  Again, validation from the recursive resolver works how?

Overall, unless you are validating on the end host rather than the recursive resolver, DNSSEC does a lot of harm from misconfiguration-DOS, but almost no good.

Nicholas Weaver                  it is a tale, told by an idiot,                full of sound and fury,
510-666-2903                                 .signifying nothing