Re: [DNSOP] Should root-servers.net be signed

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Sun, 07 March 2010 09:22 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6856C28C11B for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 01:22:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.09
X-Spam-Level:
X-Spam-Status: No, score=-0.09 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hInNO+lHMrWF for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 01:22:26 -0800 (PST)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by core3.amsl.com (Postfix) with SMTP id B1A3628C0EC for <dnsop@ietf.org>; Sun, 7 Mar 2010 01:22:24 -0800 (PST)
Received: (qmail 64572 invoked from network); 7 Mar 2010 10:28:21 -0000
Received: from softbank219178199025.bbtec.net (HELO necom830.hpcl.titech.ac.jp) (219.178.199.25) by necom830.hpcl.titech.ac.jp with SMTP; 7 Mar 2010 10:28:21 -0000
Message-ID: <4B937030.2030801@necom830.hpcl.titech.ac.jp>
Date: Sun, 07 Mar 2010 18:21:52 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: ja, en
MIME-Version: 1.0
To: George Barwood <george.barwood@blueyonder.co.uk>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost>
In-Reply-To: <2AA0F45200E147D1ADC86A4B373C3D46@localhost>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2010 09:22:27 -0000

George Barwood wrote:
 
> For a resolver behind a NAT firewall that removes port randomization,

You should also assume that the firewall traps all the packets to
port 53.

> it is possible for an attacker to spoof the priming query (only
> 16 bits of ID protection ).

Yes, it is possible even with signed root, because the client can't
directly ask name servers and must just rely on the firewall.

So, the answer is that root servers should not be signed, because
signing is useless.

						Masataka Ohta