[DNSOP] UDP fragmentation vs multiple-responses and multi-qtypes

Ondřej Surý <ondrej.sury@nic.cz> Thu, 20 July 2017 16:41 UTC

Return-Path: <ondrej.sury@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 40AB4131C4E for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 09:41:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Yuhp3G6sCQGZ for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 09:41:36 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DE1C131714 for <dnsop@ietf.org>; Thu, 20 Jul 2017 09:41:35 -0700 (PDT)
Received: from zimbra.rfc1925.org (calcifer.labs.nic.cz []) by mail.nic.cz (Postfix) with ESMTP id 0D33A60732 for <dnsop@ietf.org>; Thu, 20 Jul 2017 18:41:34 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1500568894; bh=dDMW5iKsnYDfG2X9JhloRnCgA4YSuVjFcivOrwLY5oQ=; h=Date:From:To; b=uMmg+inSlkpqkpj7LqQX/nYTzvKQWw0hEm0mkypYnPeIT6qZ5xEBLvxN0WvHRdFJY SzwgxiERwCBosePO9RHmWF5Le1lnAvHq0IDcyyHMT2Ma3xHqk0fT1esfWmrzawn5Mj Pjw/7iIviH90zlBTdF/ckqVIq2wX3dVUBgQdAcWs=
Date: Thu, 20 Jul 2017 18:41:33 +0200 (CEST)
From: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= <ondrej.sury@nic.cz>
To: dnsop <dnsop@ietf.org>
Message-ID: <1686897744.6421.1500568893614.JavaMail.zimbra@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: []
X-Mailer: Zimbra 8.7.9_GA_1794 (ZimbraWebClient - GC59 (Linux)/8.7.9_GA_1794)
Thread-Index: drTJLRO/4nkR2JIAujzyHoaQf8cQWQ==
Thread-Topic: UDP fragmentation vs multiple-responses and multi-qtypes
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/orVbmYDlqkKxz5luv7xST-yI8RM>
Subject: [DNSOP] UDP fragmentation vs multiple-responses and multi-qtypes
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 16:41:38 -0000

multi-qtypes Security Considerations says:
>    The method documented here does not change any of the security
>    properties of the DNS protocol itself.

I don't think this statement is true.  Why?

a) DNS DDoS threats are real and there was a shift towards minimizing
   answers.  This goes in the reverse direction.  But you address this
   in both security considerations.

multiple-responses Security Considerations says:
>    Additional records will make DNS responses even larger than they are
>    currently, leading to larger records that can be used in DNS
>    reflection attacks.  One could mitigate this by only serving
>    responses to EXTRA requests over TCP or when using Cookies [RFC5395],
>    although there is no easy way to signal this to a client other than
>    through the use of the truncate bit.

multi-qtypes Security Considerations says:
>    It should however be noted that this method does increase the
>    potential amplification factor when the DNS protocol is used as a
>    vector for a denial of service attack.

b) UDP fragmentations - it strongly increases the risk of UDP fragmentation
   which is strongly discouraged (SHOULD NOT) in BCP 145.

also multiple-responses Security Considerations says:

>    A malicious authoritative server could include a large number of
>    extra records (and associated DNSSEC information) and attempt to DoS
>    the recursive by making it do lots of DNSSEC validation.  However,
>    this is not considered a realistic threat; CPU for validation is
>    cheap compared to bandwidth.  This can be mitigated by allowing the
>    recursive resolver to ignore Additional records whenever it considers
>    itself under attack or its CPU resources are otherwise over-
>    committed.

It should be noted, that ECC validation is more CPU intensive than RSA, as
as such I find "CPU for validation is cheap compared to bandwidth" quite
bold claim that should come with some data.

 Ondřej Surý -- Technical Fellow
 CZ.NIC, z.s.p.o.    --     Laboratoře CZ.NIC
 Milesovska 5, 130 00 Praha 3, Czech Republic
 mailto:ondrej.sury@nic.cz    https://nic.cz/