Re: Online signing (was: Evaluating DNSSEC transition mechanisms)
Roy Arends <roy@dnss.ec> Fri, 11 June 2004 08:34 UTC
From: Roy Arends <roy@dnss.ec>
Subject: Re: Online signing (was: Evaluating DNSSEC transition mechanisms)
Date: Fri, 11 Jun 2004 10:34:21 +0200
Lines: 41
Sender: owner-namedroppers@ops.ietf.org
References: <20040603161757.2c386dd7.olaf@ripe.net> <Pine.OSX.4.60.0406100932520.5571@criollo.schlyter.se> <a06020431bcee2fb29e74@[192.136.136.83]> <40C88D07.3040700@algroup.co.uk> <Pine.OSX.4.60.0406102133430.14544@criollo.schlyter.se> <Pine.LNX.4.58.0406102148580.2889@elektron.atoom.net> <16585.664.987120.394778@giles.gnomon.org.uk>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Cc: namedroppers@ops.ietf.org
X-From: owner-namedroppers@ops.ietf.org Fri Jun 11 10:42:42 2004
Return-path: <owner-namedroppers@ops.ietf.org>
X-Authentication-Warning: elektron.atoom.net: roy owned process doing -bs
X-X-Sender: roy@elektron.atoom.net
To: Roy Badami <roy@gnomon.org.uk>
In-Reply-To: <16585.664.987120.394778@giles.gnomon.org.uk>
X-Virus-Scanned: by amavisd-new
Precedence: bulk
X-Message-ID:
Message-ID: <20140418071851.2560.67160.ARCHIVE@ietfa.amsl.com>
On Fri, 11 Jun 2004, Roy Badami wrote: > As a slight aside, if I were architecting such a system from scratch, > I'd be inclined to consider combining it with Bloom filters, and only > signing denials where there was a collision in the Bloom filter -- in > other cases the Bloom filter itself could be used to prove > non-existence. > > I'm reasonably confident that the combination of these two measures > would make the computational overhead of online signing a non-issue > for a normal query load, and they'd remove the concerns of offline > dictionary attacks. Whether or not they'd be adequate to deal with > DoS scenarios is less obvious to me... > > I realize we're in radio silence about the details of DNSSECter, so I > don't want to get into a detailed discussion about this idea. I > mention it only because I haven't seen such an idea mentioned, and if > we're seriously considering online signing then it's worth bearing in > mind the possible shapes that a DNSSECter based on online signing > might take to help inform the current extensibility analysis... Bloom filters in DNSSEC is not new. SMB introduced them: www.research.att.com/~smb/papers/draft-bellovin-dnsext-bloomfilt-00.txt The combination with ad-hoc signing of synthesised NSEC where otherwise it would have been a false positive is new. Anyway, I think crypto acceleration cards ops/sec are currently faster then a DNSSEC capable aparatus can serve in q/sec. I hope the assumptions one might have about a crypto-driven DDoS attack is hereby tuned to a non-issue. Roy -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Evaluating DNSSEC transition mechanisms Jakob Schlyter
- Re: Evaluating DNSSEC transition mechanisms Roy Arends
- Re: Evaluating DNSSEC transition mechanisms Edward Lewis
- Re: Evaluating DNSSEC transition mechanisms Roy Arends
- Re: Evaluating DNSSEC transition mechanisms Ben Laurie
- Re: Evaluating DNSSEC transition mechanisms Jakob Schlyter
- Re: Evaluating DNSSEC transition mechanisms Roy Arends
- Re: Evaluating DNSSEC transition mechanisms Derek Atkins
- Re: Evaluating DNSSEC transition mechanisms Roy Arends
- Online signing (was: Evaluating DNSSEC transition… Roy Badami
- Re: Online signing (was: Evaluating DNSSEC transi… Roy Arends
- Re: Evaluating DNSSEC transition mechanisms Ben Laurie
- Re: Online signing Ben Laurie
- Re: Online signing Roy Arends
- Re: Evaluating DNSSEC transition mechanisms Edward Lewis