Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.txt
Mark Andrews <marka@isc.org> Fri, 01 March 2019 20:00 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76ED713126E for <dnsop@ietfa.amsl.com>; Fri, 1 Mar 2019 12:00:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B4rX87ZDQCdc for <dnsop@ietfa.amsl.com>; Fri, 1 Mar 2019 12:00:31 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E22D1130EEB for <dnsop@ietf.org>; Fri, 1 Mar 2019 12:00:30 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 773343AB05D; Fri, 1 Mar 2019 20:00:30 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 481FE160050; Fri, 1 Mar 2019 20:00:30 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 3A5A4160069; Fri, 1 Mar 2019 20:00:30 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id VRA0cILm1Eog; Fri, 1 Mar 2019 20:00:30 +0000 (UTC)
Received: from [172.30.42.69] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 5C0F8160050; Fri, 1 Mar 2019 20:00:28 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <20190301.211448.2262229485785576167.fujiwara@jprs.co.jp>
Date: Sat, 02 Mar 2019 07:00:24 +1100
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <8E7BCFB9-4578-4EAB-8CE7-B1C3BEF5B0C4@isc.org>
References: <20190301.211448.2262229485785576167.fujiwara@jprs.co.jp>
To: fujiwara@jprs.co.jp
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/DO3vTOrpO-LWsRYKvfncuHK3I_k>
Subject: Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2019 20:00:46 -0000
Or one can use TSIG with a well known key to get a cryptograph hash of the response. Below is how how the servers for the Alexa to 1 Million handle unexpected TSIG. It’s well under a day to add this to a recursive server that supports TSIG already. It’s a couple of minutes of configuration time to add it to a authoritative server that supports TSIG already. Count, without WKK, with WWK. https://ednscomp.isc.org/compliance/alexa1m-tsig-wkk.txt 2019-02-24T00:00:05Z 2 dns=ok dnswkk=eof 39 dns=failed dnswkk=failed 348 dns=ok dnswkk=formerr,notsig 65 dns=timeout dnswkk=formerr,notsig 10 dns=nosoa,noaa dnswkk=formerr,notsig 7 dns=servfail dnswkk=formerr,notsig 3 dns=formerr dnswkk=formerr,notsig 3 dns=nosoa,noaa,rd dnswkk=formerr,notsig 3 dns=refused dnswkk=formerr,notsig 2 dns=noaa dnswkk=formerr,notsig 1 dns=nxdomain dnswkk=formerr,notsig 9 dns=ok dnswkk=formerr,notsig,opt (non RFC compliant: OPT record in response) 2 dns=refused dnswkk=formerr,notsig,opt (non RFC compliant: OPT record in response) 786 dns=ok dnswkk=formerr,tsig-bad-sig (non RFC compliant: TSIG record in response) 33 dns=refused dnswkk=formerr,tsig-bad-sig (non RFC compliant: TSIG record in response) 6 dns=servfail dnswkk=formerr,tsig-bad-sig (non RFC compliant: TSIG record in response) 3 dns=noaa dnswkk=formerr,tsig-bad-sig (non RFC compliant: TSIG record in response) 3 dns=timeout dnswkk=formerr,tsig-bad-sig (non RFC compliant: TSIG record in response) 1 dns=ok dnswkk=formerr,tsig-bad-sig,proxy (non RFC compliant: TSIG record in response) 9 dns=rd dnswkk=formerr,tsig-bad-sig,rd (non RFC compliant: TSIG record in response) 156 dns=refused dnswkk=malformed (non RFC compliant: malformed) 135 dns=ok dnswkk=malformed (non RFC compliant: malformed) 38 dns=servfail dnswkk=malformed (non RFC compliant: malformed) 13 dns=malformed dnswkk=malformed (non RFC compliant: malformed) 13 dns=timeout dnswkk=malformed (non RFC compliant: malformed) 10 dns=nosoa dnswkk=malformed (non RFC compliant: malformed) 8 dns=nxdomain,ad dnswkk=malformed (non RFC compliant: malformed) 3 dns=nosoa,noaa dnswkk=malformed (non RFC compliant: malformed) 4 dns=ok dnswkk=noerror,badkey,nosoa,noaa (non RFC compliant: rcode != NOTAUTH) 4 dns=ok dnswkk=noerror,badkey,tsig-wrong-alg,nosoa,noaa (non RFC compliant: rcode != NOTAUTH) 3 dns=ok dnswkk=noerror,badkey,tsig-wrong-alg,tsig-bad-time,nosoa,noaa (non RFC compliant: rcode != NOTAUTH) 142252 dns=ok dnswkk=notauth,badkey 2483 dns=refused dnswkk=notauth,badkey 694 dns=servfail dnswkk=notauth,badkey 369 dns=timeout dnswkk=notauth,badkey 295 dns=nosoa,noaa dnswkk=notauth,badkey 176 dns=rd dnswkk=notauth,badkey 43 dns=nosoa dnswkk=notauth,badkey 9 dns=noaa dnswkk=notauth,badkey 2 dns=nxdomain dnswkk=notauth,badkey 2 dns=opt dnswkk=notauth,badkey 2 dns=refused,rd dnswkk=notauth,badkey 5 dns=opt dnswkk=notauth,badkey,opt (non RFC compliant: OPT record in response) 318 dns=ok dnswkk=notauth,badkey,proxy 6 dns=refused dnswkk=notauth,badkey,proxy 3 dns=servfail dnswkk=notauth,badkey,proxy 2 dns=nosoa,noaa dnswkk=notauth,badkey,proxy 2 dns=timeout dnswkk=notauth,badkey,proxy 1 dns=rd dnswkk=notauth,badkey,rd,proxy (non RFC compliant: RD=1 in response) 8238 dns=ok dnswkk=notauth,badkey,tsig-bad-time 159 dns=refused dnswkk=notauth,badkey,tsig-bad-time 118 dns=servfail dnswkk=notauth,badkey,tsig-bad-time 37 dns=nosoa,noaa dnswkk=notauth,badkey,tsig-bad-time 30 dns=rd dnswkk=notauth,badkey,tsig-bad-time 17 dns=timeout dnswkk=notauth,badkey,tsig-bad-time 3 dns=noaa dnswkk=notauth,badkey,tsig-bad-time 2 dns=nosoa dnswkk=notauth,badkey,tsig-bad-time 31 dns=ok dnswkk=notauth,badkey,tsig-bad-time,proxy 2 dns=nosoa,noaa dnswkk=notauth,badkey,tsig-bad-time,proxy 1 dns=refused dnswkk=notauth,badkey,tsig-bad-time,proxy 27 dns=ok dnswkk=notauth,badkey,tsig-bad-time,tsig-bad-fudge 105 dns=ok dnswkk=notauth,badkey,tsig-wrong-alg 5 dns=nosoa,noaa dnswkk=notauth,badkey,tsig-wrong-alg 1 dns=ok dnswkk=notauth,badkey,tsig-wrong-alg,proxy 30 dns=ok dnswkk=notauth,badkey,tsig-wrong-alg,tsig-bad-time 11401 dns=ok dnswkk=notauth,notsig (non RFC compliant: NOTAUTH without TSIG) 278 dns=refused dnswkk=notauth,notsig (non RFC compliant: NOTAUTH without TSIG) 82 dns=timeout dnswkk=notauth,notsig (non RFC compliant: NOTAUTH without TSIG) 18 dns=nosoa,noaa dnswkk=notauth,notsig (non RFC compliant: NOTAUTH without TSIG) 5 dns=servfail dnswkk=notauth,notsig (non RFC compliant: NOTAUTH without TSIG) 2 dns=nxdomain dnswkk=notauth,notsig (non RFC compliant: NOTAUTH without TSIG) 2 dns=reset dnswkk=notauth,notsig (non RFC compliant: NOTAUTH without TSIG) 1 dns=nosoa dnswkk=notauth,notsig (non RFC compliant: NOTAUTH without TSIG) 445 dns=ok dnswkk=notimp,notsig 45 dns=refused dnswkk=notimp,notsig 2 dns=notimp dnswkk=notimp,notsig 2 dns=timeout dnswkk=notimp,notsig 41201 dns=ok dnswkk=notsig 284 dns=timeout dnswkk=notsig 33 dns=servfail dnswkk=notsig 15 dns=opt dnswkk=notsig 6 dns=refused dnswkk=notsig 4 dns=noaa dnswkk=notsig 2 dns=malformed dnswkk=notsig 1 dns=cd dnswkk=notsig 1 dns=nosoa,noaa,rd dnswkk=notsig 3 dns=cd dnswkk=notsig,cd 1 dns=ok dnswkk=notsig,cd 54 dns=noaa dnswkk=notsig,noaa 13 dns=ok dnswkk=notsig,noaa 4 dns=opt dnswkk=notsig,noaa 3 dns=noaa,rd dnswkk=notsig,noaa,rd 123 dns=nosoa dnswkk=notsig,nosoa 3 dns=nosoa,noaa,rd dnswkk=notsig,nosoa 2 dns=nosoa,noaa dnswkk=notsig,nosoa 311 dns=nosoa,noaa dnswkk=notsig,nosoa,noaa 78 dns=nosoa,noaa,rd dnswkk=notsig,nosoa,noaa,rd 8 dns=ok dnswkk=notsig,nosoa,noaa,rd 3 dns=nosoa dnswkk=notsig,nosoa,noaa,rd 5 dns=nosoa,rd dnswkk=notsig,nosoa,rd 15 dns=opt dnswkk=notsig,opt 1 dns=timeout dnswkk=notsig,opt 1 dns=opt,cd dnswkk=notsig,opt,cd 1 dns=nosoa,noaa dnswkk=notsig,opt,nosoa,noaa 27 dns=rd dnswkk=notsig,rd 6 dns=timeout dnswkk=notsig,rd 21 dns=nxdomain dnswkk=nxdomain,notsig 3 dns=ok dnswkk=ok 121 dns=ok dnswkk=refused,badkey (non RFC compliant: rcode != NOTAUTH) 20 dns=servfail dnswkk=refused,badkey (non RFC compliant: rcode != NOTAUTH) 19 dns=refused dnswkk=refused,badkey (non RFC compliant: rcode != NOTAUTH) 1 dns=nosoa,noaa dnswkk=refused,badkey (non RFC compliant: rcode != NOTAUTH) 1 dns=timeout dnswkk=refused,badkey (non RFC compliant: rcode != NOTAUTH) 5 dns=refused dnswkk=refused,badkey,tsig-bad-time (non RFC compliant: rcode != NOTAUTH) 996 dns=refused dnswkk=refused,notsig 2 dns=ok dnswkk=refused,notsig (non RFC compliant: REFUSED when plain DNS not REFUSED) 33 dns=refused dnswkk=refused,tsig-bad-sig (likely non RFC compliant) 1 dns=ok dnswkk=reset 1 dns=reset dnswkk=reset 1258 dns=ok dnswkk=servfail,notsig (non RFC compliant: SERVFAIL when plain DNS not SERVFAIL) 139 dns=servfail dnswkk=servfail,notsig 21 dns=refused dnswkk=servfail,notsig (non RFC compliant: SERVFAIL when plain DNS not SERVFAIL) 10 dns=nosoa,noaa dnswkk=servfail,notsig (non RFC compliant: SERVFAIL when plain DNS not SERVFAIL) 10 dns=timeout dnswkk=servfail,notsig (non RFC compliant: SERVFAIL when plain DNS not SERVFAIL) 2 dns=nxdomain,soa dnswkk=servfail,notsig (non RFC compliant: SERVFAIL when plain DNS not SERVFAIL) 1 dns=noaa dnswkk=servfail,notsig (non RFC compliant: SERVFAIL when plain DNS not SERVFAIL) 1 dns=rd dnswkk=servfail,notsig (non RFC compliant: SERVFAIL when plain DNS not SERVFAIL) 48 dns=ok dnswkk=servfail,tsig-bad-sig (non RFC compliant: SERVFAIL when plain DNS not SERVFAIL) 9 dns=servfail dnswkk=servfail,tsig-bad-sig 17621 dns=timeout dnswkk=timeout 1305 dns=ok dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 22 dns=refused dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 6 dns=servfail dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 5 dns=malformed dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 4 dns=rd dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 2 dns=nosoa dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 2 dns=nosoa,noaa dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 2 dns=nosoa,noaa,rd dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 1 dns=nosoa,rd dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 1 dns=opt dnswkk=timeout (non RFC compliant: timeout on request containing TSIG) 46 dns=ok dnswkk=tsig-bad-sig 4 dns=timeout dnswkk=tsig-bad-sig 4 dns=update dnswkk=tsig-bad-sig 7 dns=nosoa dnswkk=tsig-bad-sig,nosoa 1 dns=timeout dnswkk=tsig-bad-sig,nosoa 1 dns=nosoa,noaa dnswkk=tsig-bad-sig,nosoa,noaa 1 dns=ok dnswkk=tsig-not-last,tsig-bad-sig (non RFC compliant: TSIG not last record in additional section) > On 1 Mar 2019, at 11:14 pm, fujiwara@jprs.co.jp wrote: > > Dear DNSOP, > > I submitted draft-fujiwara-dnsop-fragment-attack-01. > > https://tools.ietf.org/html/draft-fujiwara-dnsop-fragment-attack-01 > > It summarized DNS cache poisoning attack using IP fragmentation > and countermeasures. > > If the draft is interested, I will request timeslot at IETF 104. > > I think it is time to consider to avoid IP Fragmentation in DNS. > It is possible to avoid IP fragmentation as much as possible. > > It is not good that DNS is the biggest user of IP fragmentation. > > Regards, > > -- > Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp> > > A new version of I-D, draft-fujiwara-dnsop-fragment-attack-01.txt > has been successfully submitted by Kazunori Fujiwara and posted to the > IETF repository. > > Name: draft-fujiwara-dnsop-fragment-attack > Revision: 01 > Title: Measures against cache poisoning attacks using IP fragmentation in DNS > Document date: 2019-03-01 > Group: Individual Submission > Pages: 13 > URL: https://www.ietf.org/internet-drafts/draft-fujiwara-dnsop-fragment-attack-01.txt > Status: https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-fragment-attack/ > Htmlized: https://tools.ietf.org/html/draft-fujiwara-dnsop-fragment-attack-01 > Htmlized: https://datatracker.ietf.org/doc/html/draft-fujiwara-dnsop-fragment-attack > Diff: https://www.ietf.org/rfcdiff?url2=draft-fujiwara-dnsop-fragment-attack-01 > > Abstract: > Researchers proposed practical DNS cache poisoning attacks using IP > fragmentation. This document shows feasible and adequate measures at > full-service resolvers and authoritative servers against these > attacks. To protect resolvers from these attacks, avoid > fragmentation (limit requestor's UDP payload size to 1220/1232), drop > fragmented UDP DNS responses and use TCP at resolver side. To make a > domain name robust against these attacks, limit EDNS0 Responder's > maximum payload size to 1220, set DONTFRAG option to DNS response > packets and use good random fragmentation ID at authoritative server > side. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.t… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Mark Andrews
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… 神明達哉
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Paul Vixie
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… 神明達哉
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Mark Andrews
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Daisuke HIGASHI
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Florian Weimer