On 18 Aug 2008, at 05:11, Dean Anderson wrote:
Ok, I agree that totally DNSSEC-oblivious servers won't be a problem
for
DOS, but of course remain susceptible to poisoning even if the stub
resolver and the authority server both implement DNSSEC.
Kindly explain how is this any different from when poisoning occurs
when stub resolver and authority server don't implement DNSSEC.
The fact is DNSSEC is the *only* game in town for preventing cache
poisoning. So to go back to David's original question: will deploying
DNSSEC break anything that's already in use that doesn't support DNSSEC?
Now if that resolving server does pay attention to the DO bit, it
will
set it on the query it makes to the authoritative server. That makes
the authoritative server return an answer which will contain the new
RRSIG and the resolving server's cache is updated accordingly.
Ok. So what about caching servers that do understand the DO bit but
don't actually verify the responses? They just cache the response for
the stub resolver to verify? These servers can still be poisoned with
invalid record combinations that they pass on to stub resolvers,
resulting in the DOS. Such servers may still be subject to the race
condition I described.
How is this different from a resolving server not getting the correct
answer because it queried an authoritative server that hasn't seen the
latest version of the zone on the master? In fact in the somewhat
contrived scenario you pose, the stub resolver gets a validation
failure. So they at least know something has gone wrong. Which has to
be a great leap forward from getting bad (poisoned) data and not
having the slightest clue that has happened.
Ahhh. I see it now. Someone will deploy DNSSEC in their stub resolver.
But then they'll make that query a resolving server that doesn't speak
DNSSEC whenever their stub resolver wants to do a DNSSEC-aware lookup.
Right. Makes perfect sense. [Add scarcasm to taste.]
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
