On Thu, Feb 15, 2024 at 4:37 AM Petr Špaček <pspa...@isc.org> wrote:
> On 14. 02. 24 16:45, Shumon Huque wrote: > > > > What colliding keytag limits are other resolver implementers placing? > > Right now BIND tolerates 1 validation failure before hard-failing. This > counter is not limited to colliding key tags. > You didn't quite answer my specific question - does BIND now have a limit on keytag collisions, and if so, what is it? For your more general answer, I want to make sure I clearly understand what you are saying. Does "hard-failing" mean blacklisting only the authoritative server that gave the bad response that caused any validation failure, and re-trying other available servers for the zone (to some limit)? Or does it mean hard-failing the entire zone? I hope it is not the latter, otherwise that makes an attacker's job so much easier. Target only one authoritative server for a zone with an inline attack, blind cache poison attack etc (and feed it any of a wide range of possible responses: colliding keytags, bogus signatures, expired signatures, missing signatures), and they can take your whole site off the Internet. Resolvers need to have robust re-try behavior in the face of attacks (or misconfigurations, or unavailability). This all of course has to be balanced with the requirement to bound the amount of work (but as I pointed out in my earlier email, this was known in 1987, though implementers seem to have forgotten that fundamental principle sometimes). Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
