On Tue, 19 Aug 2008, Ted Lemon wrote:
> On Aug 19, 2008, at 8:15 PM, Dean Anderson wrote:
> > A verifying
> > DNSSEC cache can be poised with bad glue records using the poisoning
> > attack, with only a slight change to the Kaminsky software.
>
> Do you mean that it can be convinced that an answer is valid when it
> is not?
I mean that a validating cache can be convinced to think that a
delegation is unsigned by getting unsigned glue records without a DS
record. This glue can refer to a working (bogus) nameserver, or it can
be a DOS on the delegation. I might try to demonstrate this by running
code next week sometime.
One might be able prevent this only if all zones and all delegations
have been preconfigured keys, in which case RFC 4035 says a resolver
SHOULD believe a zone is signed if it has a preconfigured key. (so one
might still be spoof-able by an implmentation that doesn't reject
unsigned responses in zones with preconfigured keys.
Of course, updating all these preconfigured keys is going to be a PITA.
This is another operational drawback, and significant operational
expense. So DNSSEC is probably a self-inflicted DOS in practice after
some key changes.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
