The DDOS problem & security BOF: Am i mistaken?

Paul Vixie vixie at
Wed Oct 15 22:22:25 UTC 2008

"Christopher Morrow" <morrowc.lists at> writes:

> On Wed, Oct 15, 2008 at 4:05 PM, Warren Kumari <warren at> wrote:
>> On Oct 14, 2008, at 12:08 PM, Scott Doty wrote:
>>> When a vendor at the security BOF starts showing documents that are
>>> "company confidential", and trying to whip up a climate of fear, that
>>> we should all deploy their product in front of our recursive name
>>> servers, i get this funny feeling that I am being "murk spammed".
>> ... I did not get the impression AT ALL that he was trying to sell his
>> service, but rather provide better service to his existing customers,
>> even going so far as to provide free devices to people who run large
>> recursive resolvers. ...

i've heard the following concerns about this free device expressed to me.

first, its value-add is its proprietary relationship to one dns authority
(ultradns), so if neustar deploys a lot of them it will create third party
incentive among domainholders to move their authority service to neustar.
so while other commercial authority dns vendors (such as nominum or
microsoft) might be willing to license this proprietary technology from
neustar and we can all assume that there are commercial terms under which
neustar would do this, we can also expect that domainholders who prefer to
self-host using f/l/oss (bind, nsd, tinydns, powerdns, etc) won't have that
option.  rodney said it was necessary that neustar not have to wait for the
standards community before deploying this service, but noone asked him why
he hasn't open-sourced his solution so that other dns authority suppliers
can also benefit from the recursive-dns frontend boxes he's giving away.  i
know that neustar is in the business of selling outsourced authority dns,
so i understood scott doty's comments as referring to the pressure a large
deployment of free recursive-dns frontend boxes will put on anyone who isn't
a neustar customer to please become a neustar customer so that their zones
will be safer.

second, there's no real possibility that someone who deploys a free neustar
box inline/upstream of their recursive dns server would also deploy a
second one if anyone else with a proprietary solution wanted to follow
neustar's example.  rodney did not say whether the front-end boxes were
user programmable or whether he planned to make it possible for competitors
of neustar to embed their solutions in this free box.  rodney also did not
say how many boxes would be available for free before neustar would have to
start charging for them, nor whether the price at that point would represent
cost recovery or also be a profit center for neustar.  these questions also
appear (to me) to be implied by scott doty's original question.

now for my own concerns.

> it's probably also worth noting that the person in question has a
> history of giving away this sort of protection (in other forms) for
> the DNS system... and innovating as a DNS service provider, both for
> free (howdy: and for a price.... I'm not sure I'd classify
> anything he does as a sales pitch in the venue in question.

in spite of my great admiration for rodney's lifetime of contribution, i do
not see any natural consequence toward dnssec from this dns frontend giveaway.
i have total confidence that the solution will work, and reasonable confidence
that it will indirectly improve neustar's revenue outlook, but no confidence
that anyone who wasn't planning to deploy dnssec in their product or network
will, as a result of rodney's work, decide to deploy dnssec.

far better in my opinion would be for rodney to sign all the zone he carries
(keeping the keys he has to generate in escrow to be surrendered to the
domainholders upon demand with a reasonable escrow and transfer fee), and to
either start his own DLV registry or to offer free secondary service to ISC's
DLV registry, and to submit all his customer keys to whichever DLV registry he
decided upon.  anyone running BIND 9.3.0 (not 9.6.0 as was mentioned -- we're
talking about old and somewhat stable code here) can just speak DLV directly.
anyone who can and wants to upgrade to BIND with its DLV support can do that.
anyone else could install a free recursive dns frontend box from neustar that
would do inline DLV.  but there's a pure software-only solution that would
work.  (noting that in rodney's preso he spoke of the many folks who have
never upgraded their nameservers, are still running BIND4, etc, but for the
larger recursive dns operators this isn't how they work and they can deploy
new code, and it would be very easy for nominum-ans and nlnetlabs-unbound to
implement DLV, which is unencumbered even though never subject to IETF delays.)

it's easy to assume that my worry about this is as someone in the authority
dns business whose customers (the vast majority of whom pay nothing), who
stands to lose market share when rodney starts pushing his boxes into the
field.  but since i've been giving away free shovels to people who mostly
want to buy holes, and rodney sells holes, i think that ship has already
sailed.  the baser knee-jerk reaction underlying my discomfort is that isc's
mission statement (front and center at values the autonomy of
the internet's participants.  dnssec does that.  a dnssec-based solution, or
a dnssec-leveraging solution, does that.  rodney's plan doesn't do that.

i'd welcome raw data about dns poisonining events, too.  we're scanning the
hell out of all the open recursives, and we're not finding much poison, in
spite of all the "please stop querying our nameserver!" complaints we incite.
so while i want dnssec, i'm pretty comfortable with 16-bit port randomization
as a stopgap.  rodney's free inline recursive dns frontend could just do 
16-bit port randomization if all we want is an until-there-is-dnssec stopgap.
Paul Vixie

More information about the NANOG mailing list