[DNSOP] UDP fragmentation vs multiple-responses and multi-qtypes
Ondřej Surý <ondrej.sury@nic.cz> Thu, 20 July 2017 16:41 UTC
Return-Path: <ondrej.sury@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40AB4131C4E for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 09:41:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yuhp3G6sCQGZ for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 09:41:36 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DE1C131714 for <dnsop@ietf.org>; Thu, 20 Jul 2017 09:41:35 -0700 (PDT)
Received: from zimbra.rfc1925.org (calcifer.labs.nic.cz [217.31.192.138]) by mail.nic.cz (Postfix) with ESMTP id 0D33A60732 for <dnsop@ietf.org>; Thu, 20 Jul 2017 18:41:34 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1500568894; bh=dDMW5iKsnYDfG2X9JhloRnCgA4YSuVjFcivOrwLY5oQ=; h=Date:From:To; b=uMmg+inSlkpqkpj7LqQX/nYTzvKQWw0hEm0mkypYnPeIT6qZ5xEBLvxN0WvHRdFJY SzwgxiERwCBosePO9RHmWF5Le1lnAvHq0IDcyyHMT2Ma3xHqk0fT1esfWmrzawn5Mj Pjw/7iIviH90zlBTdF/ckqVIq2wX3dVUBgQdAcWs=
Date: Thu, 20 Jul 2017 18:41:33 +0200
From: Ondřej Surý <ondrej.sury@nic.cz>
To: dnsop <dnsop@ietf.org>
Message-ID: <1686897744.6421.1500568893614.JavaMail.zimbra@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [217.31.192.138]
X-Mailer: Zimbra 8.7.9_GA_1794 (ZimbraWebClient - GC59 (Linux)/8.7.9_GA_1794)
Thread-Index: drTJLRO/4nkR2JIAujzyHoaQf8cQWQ==
Thread-Topic: UDP fragmentation vs multiple-responses and multi-qtypes
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/orVbmYDlqkKxz5luv7xST-yI8RM>
Subject: [DNSOP] UDP fragmentation vs multiple-responses and multi-qtypes
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 16:41:38 -0000
multi-qtypes Security Considerations says: > The method documented here does not change any of the security > properties of the DNS protocol itself. I don't think this statement is true. Why? a) DNS DDoS threats are real and there was a shift towards minimizing answers. This goes in the reverse direction. But you address this in both security considerations. multiple-responses Security Considerations says: > > Additional records will make DNS responses even larger than they are > currently, leading to larger records that can be used in DNS > reflection attacks. One could mitigate this by only serving > responses to EXTRA requests over TCP or when using Cookies [RFC5395], > although there is no easy way to signal this to a client other than > through the use of the truncate bit. multi-qtypes Security Considerations says: > It should however be noted that this method does increase the > potential amplification factor when the DNS protocol is used as a > vector for a denial of service attack. b) UDP fragmentations - it strongly increases the risk of UDP fragmentation which is strongly discouraged (SHOULD NOT) in BCP 145. also multiple-responses Security Considerations says: > A malicious authoritative server could include a large number of > extra records (and associated DNSSEC information) and attempt to DoS > the recursive by making it do lots of DNSSEC validation. However, > this is not considered a realistic threat; CPU for validation is > cheap compared to bandwidth. This can be mitigated by allowing the > recursive resolver to ignore Additional records whenever it considers > itself under attack or its CPU resources are otherwise over- > committed. It should be noted, that ECC validation is more CPU intensive than RSA, as as such I find "CPU for validation is cheap compared to bandwidth" quite bold claim that should come with some data. Cheers, -- Ondřej Surý -- Technical Fellow -------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Milesovska 5, 130 00 Praha 3, Czech Republic mailto:ondrej.sury@nic.cz https://nic.cz/ --------------------------------------------