On Mon, 18 Aug 2008, Jim Reid wrote:
> And why would these caching servers be signing anything? It's the
> master server that signs the zone.
I never said otherwise.
Ok, I agree that totally DNSSEC-oblivious servers won't be a problem for
DOS, but of course remain susceptible to poisoning even if the stub
resolver and the authority server both implement DNSSEC.
> Now if that resolving server does pay attention to the DO bit, it will
> set it on the query it makes to the authoritative server. That makes
> the authoritative server return an answer which will contain the new
> RRSIG and the resolving server's cache is updated accordingly.
Ok. So what about caching servers that do understand the DO bit but
don't actually verify the responses? They just cache the response for
the stub resolver to verify? These servers can still be poisoned with
invalid record combinations that they pass on to stub resolvers,
resulting in the DOS. Such servers may still be subject to the race
condition I described.
And the caching servers that do verify, are susceptible to the DOS
attack I described.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
