> From: Haya Shulman <[email protected]> > > That claim against having "[injected] spoofed content into the DNS > > response (despite the use of Eastlake cookies for protection)" is false > > unless that attack was against DNS clients and servers using DNS > > cookies, and not merely the cookies described in > > https://tools.ietf.org/html/draft-eastlake-dnsext-cookies-03 > > but cookies in an as-yet unpublished proposal with a payload checksum. > > Note that I thought that there are no available implementations even > > of original flavor cookies. > > You may have missed the beginning of that discussion... Paul Vixie already > suggested to add a CRC to protect against our fragmentation attacks, as > well as the new attack idea that I proposed earlier in this thread, fyi: > > i expect that in consideration of your fragmentation work, he will add a > > 32-bit CRC covering the full message to the EDNS option that contains the > > cookie.
That does not address my point. Did Haya Shulman test against DNS Cookies? If not, then the claim having "[injected] spoofed content into the DNS response (despite the use of Eastlake cookies for protection)" is false and at best an expression of hope that such an attack might work. Please note that my question about whether this latest fragmentation attack was blind was not answered. If it was blind, as some have privately described their understandings, then how were UDP checksums fixed? > In any case, it is great that you also agree that the published proposal > may be vulnerable and propose to use checksum to prevent those attacks. That misrepresents my words and my position. I am not convince that this attack differs from the previous claimed attacks on DNS. They all seem to be easily fixed by properly deploying DNSSEC. They also all seem more difficult than other, easier attacks that achieve similar ends (bad DNS data), and that are also thwarted by properly deployed DNSSEC. Given the UDP checksum, I do not understand the significant protection of adding a CRC to DNS Cookies. DNS responses do need protection, but that's the job of DNSSEC. DNS Cookies have been advocated for reducing false positives for anti-reflection mechanisms such as RRL. For that purpose, DNS Cookies are on DNS requests instead of responses, and I see no good there from adding a CRC. Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
