IETF Logo Mail Archive

Re: increasing DNS message entropy, a solution for NATs

Joe Abley <jabley@ca.afilias.info> Mon, 21 July 2008 16:04 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B7F763A6ABE; Mon, 21 Jul 2008 09:04:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.69
X-Spam-Level:
X-Spam-Status: No, score=-1.69 tagged_above=-999 required=5 tests=[AWL=-0.642, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YXnXbgI96OgM; Mon, 21 Jul 2008 09:04:20 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A9FF33A6AB5; Mon, 21 Jul 2008 09:04:20 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KKxmq-0004Kt-DO for namedroppers-data@psg.com; Mon, 21 Jul 2008 15:58:56 +0000
Received: from [199.212.90.4] (helo=monster.hopcount.ca) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <jabley@ca.afilias.info>) id 1KKxml-0004JX-HF for namedroppers@ops.ietf.org; Mon, 21 Jul 2008 15:58:54 +0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=monster; d=ca.afilias.info; h=Received:Cc:Message-Id:From:To:In-Reply-To:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Date:References:X-Mailer; b=fhqFgcqEVhwbITVBDdrP1z45+PaL8+5Wym8yISBpsP0/D9zA5Zp0LsAr7UXJW0JvBJH6AZe98lvMzmT7rr6/emwu445psQjo6m4spbN6fym+MBZvA5V63bDoNOV/AuRg;
Received: from [199.212.90.27] (helo=yxu1b27.hopcount.ca) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from <jabley@ca.afilias.info>) id 1KKxlP-0002OF-5g; Mon, 21 Jul 2008 15:57:27 +0000
Cc: namedroppers@ops.ietf.org, Alessandro.Linari@nominet.org.uk
Message-Id: <E4C601CA-7E9F-404F-B5FB-8F9B3AA53044@ca.afilias.info>
From: Joe Abley <jabley@ca.afilias.info>
To: Roy Arends <roy@nominet.org.uk>
In-Reply-To: <OF6B63EC19.5E0A6D58-ON8025748D.003A54A9-C125748D.003E1133@nominet.org.uk>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v926)
Subject: Re: increasing DNS message entropy, a solution for NATs
Date: Mon, 21 Jul 2008 11:57:25 -0400
References: <OF6B63EC19.5E0A6D58-ON8025748D.003A54A9-C125748D.003E1133@nominet.org.uk>
X-Mailer: Apple Mail (2.926)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

On 21 Jul 2008, at 07:17, Roy Arends wrote:

> A simple, straightforward method to increase entropy in DNS message
> transaction, is to query for the same name twice (or N times for  
> even more
> increased entropy) and require that the answers be the same. This does
> require a change to the resolver, but not to the authoritative server.

This will lead to trouble if the query is ever answered by one of a  
cluster of servers, where there is the potential for some servers in  
the cluster to be slightly more up-to-date than others.

It also might lead to trouble if the query is ever answered by a  
single-source server which updates between query i and query j for  
some j>i.

> There are a few things to consider, such as auth-servers not  
> agreeing on
> zone content (or other protocol violations), or avoiding birthday  
> paradox
> when sending two queries to the same server, but overall, this  
> solution is
> an alternative for those deployments that are not capable of making  
> use of
> source port randomization.


Joe

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.45.0 | Report a Bug | By Email | System Status