[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt

To: Ron Bonica <rbonica at juniper.net>
Subject: Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt
From: Dean Anderson <dean at av8.com>
Date: Tue, 9 Sep 2008 10:01:57 -0400 (EDT)
Cc: Peter Koch <pk at DENIC.DE>, "Contreras, Jorge" <Jorge.Contreras at wilmerhale.com>, IETF DNSOP WG <dnsop at ietf.org>, iesg at ietf.org
Delivered-to: ietfarch-dnsop-web-archive at core3.amsl.com
Delivered-to: dnsop at core3.amsl.com
In-reply-to: <48C5DE50.1080804 at juniper.net>
List-archive: <http://www.ietf.org/pipermail/dnsop>
List-help: <mailto:dnsop-request@ietf.org?subject=help>
List-id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-post: <mailto:dnsop@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
Sender: dnsop-bounces at ietf.org

On Mon, 8 Sep 2008, Ron Bonica wrote:

> Do you deny that the vulnerabilities described in this document *could*
> be exploited? If this is your claim, and you can substantiate it, the WG
> will entertain your objection.

I'm asserting that whatever vulnerabilities that do exist can be
mitigated in ordinary ways without closing open recursors, including by
BCP38.

> However, if you are arguing any or all of the following, the WG will not
> entertain your objection:
> 
> - that there have only been two attacks
> - that these attacks were contrived
> - that the organization reporting these attacks is not credible
> - that the organization reporting these attacks has not satisfied your
> requests for evidence
> - that there are easier ways to attack DNS
> 
> This is because vulnerabilities need to be mitigated, regardless of
> whether they have been exploited.

All protocols have theoretical vulnerabilities.  Your assertion that
"vulnerabilities need to be mitigated, regardless of whether they have
been exploited" is without basis. ICMP PING can be exploited, and is not
especially mitigated by the IETF.  Whatever vulnerabilities posed by
open recursors can be mitigated in other, cheaper ways, without closing
open recursors.  This document, (and the specific action it states:
closing open recursors) is not necessary to mitigate open recursor
abuse.  Open recursors have legitimate users and legitimate uses,
especially in light of recent cache poisoning attacks. One does not want
to trust someone else's recursor.  Closing open recursors has an
significant expense in security and cost of new servers, and should be
well-justified.

Your assertion that false statements, contrived attacks, discredited
sources, and lack of evidence of harm, are somehow not legitimate
reasons to dispute a document is also without basis, and indeed is
refuted by IESG actions in TLS-AUTHZ.

The fabrications made for this document amount to fraud on the public.

It appears that proponents of this document are _encouraging_
exploitation of open recursors in the Rapid Enumeration Tool.  (see
www.dnssec.net/software)  The 'recursors-are-evil' document is just a
fraudulent scheme to sell DNSSEC software.

  Rapid Enumeration Tool (RET) by Nominet UK

--------------------------------------------------------------------------------
The Rapid Enumeration Tool (RET) is designed to use DNSSEC NSEC records 
to enumerate quickly zone data whilst evading detection by systems which 
might be designed specifically to identify zone enumeration activity. It 
does this by using one or more open recursive resolvers to forward 
queries to the authoritative name servers for the zone. Each resolver is 
configured with its own 'personality', specifying query rates, query 
failure/success ratio, proportions of query types, query name 
decoration, etc. This allows the RET to feed queries to each resolver, 
that are specifically tailored to match the queries that a resolver 
might typically send to the authoritative name server. Unlike other NSEC 
resource record 'walkers', the RET does not explicitly query for NSEC 
RRs to walk the zone. Instead, it combines a 'walker' approach with a 
dictionary attack (combined with a random name generator for more 
awkward cases). This means that discernible artifacts in the pattern of 
queries that arrive at the authoritative servers should be minimised.

 -- 
Av8 Internet   Prepared to pay a premium for better 
service? www.av8.net         faster, more reliable, better service
617 344 9000   

_______________________________________________
DNSOP mailing list
DNSOP at ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Follow-Ups:
- Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt
  - From: Ron Bonica

References:
- Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt
  - From: Ron Bonica

Prev by Date: Good Morning ; Here reminisced you
Next by Date: Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt
Previous by thread: Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt
Next by thread: Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt
Index(es):
- Date
- Thread