On Tue, 19 Aug 2008, Ted Lemon wrote: > On Aug 19, 2008, at 8:15 PM, Dean Anderson wrote: > > A verifying > > DNSSEC cache can be poised with bad glue records using the poisoning > > attack, with only a slight change to the Kaminsky software. > > Do you mean that it can be convinced that an answer is valid when it > is not?
I mean that a validating cache can be convinced to think that a delegation is unsigned by getting unsigned glue records without a DS record. This glue can refer to a working (bogus) nameserver, or it can be a DOS on the delegation. I might try to demonstrate this by running code next week sometime. One might be able prevent this only if all zones and all delegations have been preconfigured keys, in which case RFC 4035 says a resolver SHOULD believe a zone is signed if it has a preconfigured key. (so one might still be spoof-able by an implmentation that doesn't reject unsigned responses in zones with preconfigured keys. Of course, updating all these preconfigured keys is going to be a PITA. This is another operational drawback, and significant operational expense. So DNSSEC is probably a self-inflicted DOS in practice after some key changes. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop