Possibly questionable security decisions in DNS root management

Florian Weimer fweimer at bfk.de
Wed Oct 21 03:59:52 EDT 2009 

* Perry E. Metzger:

> Actually, there are routine attacks on DNS infrastructure these days,
> but clearly they're not cryptographic since that's not
> deployed. However, a large part of the point of having DNSSEC is that we
> can then trust the DNS to be accurate so we can insert things like
> cryptographic keys into it.

As far as I know, only the following classes of DNS-related incidents
have been observed:

  (a) Non-malicious incorrect DNS responses from caches

      (a1) as the result of defective software
      (a2) due to misconfiguration
      (a3) as a means to generate revenue
      (a4) as a means to generate revenue, but informed consent
           of the affected party is disputed
      (a5) to implement local community standards

  (b) Compromised service provider infrastructure

      (b1) ISP caching resolvers
      (b2) ISP-provisioned routers/DNS proxies at customer sites
      (b3) authoritative name servers and networks around authoritative
           name servers
      (b4) as the result of registrar/registry data manipulation

  (c) DNS as a traffic amplifier, used for denial-of-service attacks
      both against DNS and non-DNS targets

  (d) in-protocol, non-spoofed DNS-based reflective attacks against
      authoritative servers

  (e) unclear incidents for which sufficient data is not available

The problem is that the "attacks" you mentioned are in class (e), but
likely belong to (a1) and (a2) if we had more insight into them.
Certainly, bad data itself is not proof of malicious intent.

(NB: (a1) does *not* include software using predictable query source
ports.  There does not appear to be corresponding attack activity.)

> I'm particularly concerned about the fact that it is difficult to a
> priori analyze all of the use cases for DNSSEC and what the incentives
> may be to attack them.

Well, this seems to be rather constructed to me.  You state that
DNSSEC is a game changer, and then it's indeed pretty unclear what
level of cryptographic protection is required.  But in reality, DNSSEC
adoption is not likely to change DNS usage patterns.  If there's an
effect, it will be due to the more rigid protocol specification and a
gradual phase-out of grossly non-compliant DNS implementations, and
not due to the cryptography involved.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list