Re: [DNSOP] Should root-servers.net be signed

Joe Baptista <baptista@publicroot.org> Sun, 07 March 2010 13:52 UTC

Return-Path: <publicroot.info@gmail.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E41653A8A5C for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 05:52:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.16
X-Spam-Level:
X-Spam-Status: No, score=-1.16 tagged_above=-999 required=5 tests=[AWL=0.817, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lalnp3WSBleg for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 05:52:34 -0800 (PST)
Received: from mail-fx0-f213.google.com (mail-fx0-f213.google.com [209.85.220.213]) by core3.amsl.com (Postfix) with ESMTP id 36BEA3A87A5 for <dnsop@ietf.org>; Sun, 7 Mar 2010 05:52:34 -0800 (PST)
Received: by fxm5 with SMTP id 5so121692fxm.29 for <dnsop@ietf.org>; Sun, 07 Mar 2010 05:52:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type; bh=t2TCa7aNgAvLpkWOGgRC9pS/lzM7wc1KTU3Eq80ljYs=; b=bfJt1pHs7+RqIWgSk7rloTl45QpWcHgLh77rUZs904AlqmpejBM7Slh+XtWch+d6uZ pM9xeBlAfKQXkYGnEEX+CaShoK7UAAwwn//GPil/iaOZeUMcQZm97kpiUMMHuNOExk0o K/ekoOqM0DlyBGZ812nnd1lgZoclfdcib0Vfg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=ZWiJwyw0P9C+rGlFKiw/hZxeRwdAYL39j882Yt9W4fd4I2NELgxe3FZg7N0TIRdyuO 0dPUwpVK1hCGMDk8K+7NzImvf4RVDp+v7wyFgvtcB49LQsW3vGIRSJy3JAWd1DXXP0PR lWXSFtjWAPjIEUKbwUjH7V3qJ1M/oK7ZmgY8Q=
MIME-Version: 1.0
Sender: publicroot.info@gmail.com
Received: by 10.223.2.134 with SMTP id 6mr3632013faj.71.1267969950379; Sun, 07 Mar 2010 05:52:30 -0800 (PST)
In-Reply-To: <2AA0F45200E147D1ADC86A4B373C3D46@localhost>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost>
Date: Sun, 07 Mar 2010 08:52:30 -0500
X-Google-Sender-Auth: 8857768d30db4938
Message-ID: <874c02a21003070552j3a2df734q315b69db300445e7@mail.gmail.com>
From: Joe Baptista <baptista@publicroot.org>
To: George Barwood <george.barwood@blueyonder.co.uk>
Content-Type: multipart/alternative; boundary="001517475e9c7a714a048136422e"
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2010 13:52:36 -0000

My recommendation - upgrade your NAT.

regards
joe baptista

On Sun, Mar 7, 2010 at 3:06 AM, George Barwood <
george.barwood@blueyonder.co.uk> wrote:

>  I have been wondering about this.
>
> For a resolver behind a NAT firewall that removes port randomization,
> it is possible for an attacker to spoof the priming query ( only 16 bits of
> ID protection ).
>
> If root-servers.net is unsigned, it's not possible for the resolver to
> validate
> the set of root IP addresses, meaning that
>
> (a) An attacker can control every unsigned zone.
>
> (b) An attacker can monitor every request to a signed zone ( no privacy ).
>
> (c) An attacker can deny service to any zone, on a selective basis.
>
> Apparently there are currently no plans to sign root-servers.net
>
> The main argument against seems to be that the priming query
> response size (with DO=1) would be greatly increased.
>
> Any thoughts?
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>