> From: Brian Dickson <briand@ca.afilias.info>
> To: Paul Vixie <vixie@isc.org>
> CC: bert hubert <bert.hubert@netherlabs.nl>, namedroppers@ops.ietf.org, 
>  dns-operations@lists.oarci.net

plz don't ever crosspost between namedroppers and dnsops.  no possible
article is of interest to both audiences.  i'm removing dnsops, as well
as bert and brian since i know they are on namedroppers.

> ...
> At the root of the Kaminsky vulnerability is the ability to feed data
> into a cache, where the data in question is provided in the "Additional"
> section.

no.  the root of the kaminsky vulnerability is the ability to run a race
more than once and with a head start.  actual pollution can come in the
answer section (cname chains passing through or ending in names one wishes
to pollute), the authority section (replacement NS RRs for the baliwick
apex, or new subdomains of the baliwick), or the additional section (after
kashpureff resistance has been applied there are still many forms of evil
given the ability to arbitrarily populate the answer and authority sections.)

it's a mistake to focus on any one section or any one form of pollution.
the reason i'm enamored (in general, though there are many problems left
to solve in the proposals) of the approaches advocated by masataka ohta
and nick weaver is that they start from the question, what of all this do
we HAVE to believe, and why, and what's the cost of disbelief, and what
are our alternative means of acquiring the data, and what are the costs of
those alternatives, and furthermore, what does "belief" really mean?  in
other words, how can we "fail closed".

note that there may be other ways to achieve the "kaminsky effect" that do
not involve misdirection.  if an RDNS fails to implement birthday protection
(sends multiple simultaneous upstream queries for a given q-tuple), or fails
to cache the result (an rrset, or an nxdomain, or a nodata condition) for a
given q-tuple, or if an ADNS deterministically never answers some kinds of
questions (like undefined qtypes), or if a middlebox deterministically drops
some kinds of questions or some kinds of answers (like qtypes unknown to it)
then the "kaminsky effect" might be produced without the "sibling name trick"
and in those cases the answer matching the q-type could also be poisonous.

so even while my own toy RDNS now refuses to replace NS RRsets, and does not
cache any answer RRsets other than the one matching the q-tuple, and fully
implements RFC 2181's rrset credibility logic, and fully implements dns-0x20,
i do not feel "safe" yet.  when i can successfully reason from the starting
point "what should i use or keep?" rather than "what shouldn't i use or keep?"
then i'll be on a path that could lead to feeling safe.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>