On Aug 18, 2008, at 8:22 PM, Masataka Ohta wrote:
You mean all the DNSSEC clients should directly ask authoritative
nameservers
Yes.
and all the firewalls preventing so should be modified.
The vast majority of firewalls allow 'connections' (even UDP ones) to
be initiated from the inside. Those that prevent DNS from working
correctly could be modified or upgraded or the administrators could
trust in that firewall to protect the caching server used by multiple
clients from the DDoS attacks you are concerned about.
Let's assume all the clients agree with you and start using DNSSEC
and all the administrators of firewalls agree with you and perform
modification (though I don't know how NAT can be modified).
NAT does not need to be modified. As I type this, I am behind a
commercial (relatively low end -- an Apple Airport Extreme
basestation) NAT with firewalling enabled. It works just fine.
Then, the increased load is a very good reason for root servers not
support DNSSEC.
The root server operators have demonstrated that they are quite
capable of ramping capacity to meet demand (actually, the root servers
are wildly over provisioned to try to deal with DDoS attacks so I
doubt the increase in load caused by what I'm suggesting would even be
an issue).
Alternatively, we could move to a more distributed model of DNS
operations in which the caching servers that are doing DNSSEC cache
the entire root zone, perhaps zone transferring the signed root zone
from some authoritative and trusted place. Since the root trust
anchor would be published, the root zone data would be verifiable so
fears of a corrupted root zone would be eliminated.
I suspect a combination of both would more than suffice.
What's more, recent studies have indicated that approximately 98% of
the traffic hitting the root servers is pure crap. Interestingly,
when the L-root server was renumbered, it seems the quantity of
traffic hitting that root server is significantly lower than the
others. One possible reason for this could be that people just don't
like ICANN. Another reason could be that a really tremendous amount
of crap is being generated by servers that are so old that they don't
notice a root server address change. In the latter case, pushing
caching servers out towards the edges would almost certainly entail
upgrading those name servers. As a result, the root servers might
actually see a reduction in traffic.
I am curious what you propose as an alternative.
Abandon DNSSEC and accept the reality that, even with DNSSEC,
management of DNS is not very secure.
Ah. The "Math is hard. Let's go shopping." alternative. Not sure
this is particularly helpful.
Regards,
-drc
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop