Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt
神明達哉 <jinmei@wide.ad.jp> Fri, 10 July 2015 18:53 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 848911A1AE3 for <dnsop@ietfa.amsl.com>; Fri, 10 Jul 2015 11:53:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Je2VP0iuQBht for <dnsop@ietfa.amsl.com>; Fri, 10 Jul 2015 11:53:31 -0700 (PDT)
Received: from mail-yk0-x232.google.com (mail-yk0-x232.google.com [IPv6:2607:f8b0:4002:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BCE61A1ADF for <dnsop@ietf.org>; Fri, 10 Jul 2015 11:53:31 -0700 (PDT)
Received: by ykee186 with SMTP id e186so70273556yke.2 for <dnsop@ietf.org>; Fri, 10 Jul 2015 11:53:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=aTbYARatxv+C/6NFmleLxde/y1lMH5sVD23yJAxZRrM=; b=t2kzu2wZ86mLtcA36sLQTpVlpOEE9nosTGOm7OvjVfiEcYFo5v6ea6dtuY9jyyFmgM 7Fcw0nPh4FqVLKpgXNq9dXA+0vKxVu3g5vTvyEy+/wyp+6adN4m690qVDe+9P6WhcJW9 NH29fAPZZVoapPsAQEa0extj2IfWozy1l8f4+FgryO93x14ahVDOSjFJHSAjv3NQ7sSi n//b69KBzPiNdyIqx5DcfrXhI69boKCFAtEBb6pHs6QuhcG946ZvSXrLwsQgZcRHyQDy gSWR7mUT20Xi1oWBE3bwiV9Ao3g3BZ6lS2bhFHGWV/mepc4NyoLccbuF1EqN6Y6JVc1Q 2WlA==
MIME-Version: 1.0
X-Received: by 10.170.50.19 with SMTP id 19mr24890287yks.61.1436554410461; Fri, 10 Jul 2015 11:53:30 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.37.48.131 with HTTP; Fri, 10 Jul 2015 11:53:30 -0700 (PDT)
In-Reply-To: <20150707.182043.193693838.fujiwara@jprs.co.jp>
References: <20150310.191541.52184726.fujiwara@jprs.co.jp> <20150707.182043.193693838.fujiwara@jprs.co.jp>
Date: Fri, 10 Jul 2015 11:53:30 -0700
X-Google-Sender-Auth: pRxU3VP-xAIokBH0QjdZAxSo8l0
Message-ID: <CAJE_bqcRQH0WGTaLqtMSuiOty4KHe9nN6T-wmqf3x_ohuA6TcA@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: fujiwara@jprs.co.jp
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/QPlQfCYMo-ce7oQQglbTnedD9kg>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 18:53:32 -0000
On Tue, Jul 7, 2015 at 2:20 AM, <fujiwara@jprs.co.jp> wrote: > Akira Kato and I submitted draft-fujiwara-dnsop-nsec-aggressiveuse-01. > > https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/ > > * Added reference to DLV {{RFC5074}} and imported some sentences. > * Added Aggressive Negative Caching Flag idea. > * Added detailed algorithms in Appendix. > > Please check and comment. The primarily intended benefit of this approach seems to mitigate a DoS attack on a resolver (e.g., according to Section 3). But I'm skeptical about the effectiveness in that context: for this mitigation to work the zone in question needs to be DNSSEC-signed. But an attacker would be easily able to find unsigned zone to use for the attack, and they could even set up an unsigned zone they can control. Also, an equally effective attack is possible without relying non-existent names: an attacker would only find some wildcard name and send random queries that match the wildcard. So, if the proposed approach is really effective to "random (non-existent) sub-domain attacks", attackers would simply move to a variant of it that would still work. So, in the end, a resolver would still employ counter measures like rate limiting (which will work for both types of random name attacks, and will work for unsigned zones), and, if it's reasonably effective, the defense using "nsec-aggressiveuse" won't be that promising. That said, I wouldn't necessarily be opposed to the idea itself. It might still be some nice-to-have optimization for resolver performance, and if so, it's probably worth pursing. In Introduction it states: While negative (non-existence) information of DNS caching mechanism has been known as DNS negative cache [RFC2308], it requires exact matching in most cases. [...] This was because the NXDOMAIN response just says there is no such name "a.example.com" and it doesn't tell anything for "b.example.com". While I see what it tries to say and don't disagree with it, I think this is not very accurate. In fact, NXDOMAIN for "a.example.com" says there is no such name *or any subdomain of it*. So it would still be usable to suppress unnecessary external query for, e.g., foo.a.example.com. Regarding Section 5 (possible side effect on root servers), I wonder about the implication of qname-minimization (which I expect will be deployed much sooner than this proposal). A resolver that supports qname-minimization would first send a query to "local." to the root server upon receiving a "foo.local" query, and cache the result of NXDOMAIN for "local.". It will suppress subsequent external queries for any subdomain of it. -- JINMEI, Tatuya
- [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-0… fujiwara
- [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-0… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Bob Harold
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… 神明達哉
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Mark Andrews
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… 神明達哉
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Casey Deccio
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Stephane Bortzmeyer
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… P Vixie
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Stephane Bortzmeyer
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Paul Vixie
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Ray Bellis
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Roy Arends
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Ray Bellis
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Roy Arends
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Ray Bellis
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Evan Hunt
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Ray Bellis
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Tim Wicinski
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Viktor Dukhovni
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Mark Andrews
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Paul Vixie
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque