Re: [DNSOP] dns data exchanged between host and local dns-sever

[madi]

Hi, Stephane.
I cannot agree with you any more. However, with regard to “the lying resolver” 
you’ve mentioned, to make it clearer, I’d like to bring in the Cache Poisoning 
which IPsec and TSIG cannot protect against. In practice, the response form the 
intended recursive server is in the form of plaintext. Once a recursive server 
has been hacked by the cache poisoning attack, the IPSec or the TSIG is to 
actually guarantee integrity and authentication of the “fake response”. And it 
needs to be pointed out that a poisoning attack on a single ISP DNS recursive 
server can affect numerous users serviced directly by the compromised server or 
indirectly by its downstream server(s) if applicable.
 
To give a countermeasure, the response from a recursive sever might as well be 
cached in form of both plaintext and ciphertext which is generated by the very 
recursive server. That’s to say, once a certain DNS resource record arrives 
from an authoritative name-server, the recursive sever should encrypt the DNS 
response and then cache it right away before the potential cache poisoning 
attack. If the data exchanged between local recursive server and authoritative 
name-server is secured by DNSSEC, a similar course should be followed by the 
recursive sever right after the DNSSEC verification.
 
Once the requester, a PC typically, gets the response in dual forms, it can 
then verify the correlation between them. If so, even the attacker has poisoned 
the DNS information cache, yet the two forms of poisoned cache, plaintext and 
ciphertext, could not be in accordance with each other. Consequently, the 
verification to them by a requester will never pass and then the phishing would 
be avoided.
 
With respect to the generation and the distribution of the key for the 
ciphertext mentioned above, further deliberation is needed.
 
Any critical will be appreciated.


2009-04-30 



madi 



发件人： Stephane Bortzmeyer 
发送时间： 2009-04-23  19:40:15 
收件人： Scott Rose 
抄送： m...@cnnic.cn; dnsop 
主题： Re: dns data exchanged between host and local dns-sever 
 
On Thu, Apr 23, 2009 at 07:10:13AM -0400,
 Scott Rose   wrote 
 a message of 65 lines which said:

>>Those are the DNS protocol mechanisms in place.  There is also lower
>>level security technologies such as IPsec that could be used between
>>stub clients and recursive servers that don't rely on DNSSEC at all.

>TSIG, IPsec and friends have all the same issue: they check that the
>response does come from the intended resolver, not that the response
>is authentic. At a time where any hotel provides Internet access with
>a lying resolver, this is probably not sufficient.
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] WGLC: DNSSEC Trust Anchor Configuration and Maintenance

[Paul Hoffman]

At 8:13 PM +0200 4/22/09, Peter Koch wrote:
>Please review the draft and send comments and/or statements of support or
>non-support to the WG mailing list.
>There will be a five reviewer threshold.

I support the publication of this document. Some comments:

Section 2: "Using a DS format is also recommended because it is smaller than 
the DNSKEY format and is easier to enter manually, either by typing or cutting 
and pasting." I don't know of anyone who can accurately type Base64 for more 
than a few bits worth. I agree that cut-and-paste of Base64 for DS is easier 
than for a DNSKEY.

Section 3: "Priming can occur when the validating resolver starts, but a 
validating resolver SHOULD defer priming of individual trust anchors until each 
is first needed for verification." I disagree with this as a SHOULD; "may want 
to" is much more appropriate. I see nothing wrong with wanting to get the first 
round of crypto out of the way at startup.

Section 3: "Following are the steps a validating resolver SHOULD take to prime 
a configured trust anchor:". What do you propose they do if they don't follow 
the SHOULD? All four of those steps feel pretty damn required.

Section 4, "Trusted update mechanism": "This mechanism is realistically only 
feasible for updating a small number of trust anchors, such as for the 
top-level domains." That statement is conjecture unsupported by facts. What is 
so hard about doing this for a few thousand trust anchors? The queries will be 
spread over hours (if not weeks). Maybe remove the sentence, or soften it.


--Paul Hoffman, Director
--VPN Consortium
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop