DNS hardening, was Re: Dan Kaminsky

Florian Weimer fweimer at bfk.de
Thu Aug 6 07:07:32 UTC 2009


* Douglas Otis:

> Establishing SCTP as a preferred DNS transport offers a safe harbor
> for major ISPs.

SCTP is not a suitable transport for DNS, for several reasons:

Existing SCTP stacks are not particularly robust (far less than TCP).
The number of bugs still found in them is rather large.

Only very few stacks (if any) implement operation without kernel
buffers.  The remaining ones are subject to the same state exhaustion
attacks as TCP stacks are.

At least some parts of SCTP and the SCTP API were designed for a
cooperative environment.

The SCTP API specification is very ambiguous, which is quite strange
for such a young protocol.  For instance, it is not clear if a single
socket is used to communicate with multiple peers, head-of-line
blocking can occur.

The protocol has insufficient signalling to ensure that
implementations turn off features which are harmful on a global scale.
For instance, persistant authoritative <-> resolver connections only
work if you switch off heartbeat, but the protocol cannot do this, and
it is likely that many peers won't do it.

SCTP proposers generally counter these observations by referring to
extensions and protocols which are not yet standardized, not
implemented, or both, constantly moving the goalposts.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99




More information about the NANOG mailing list