dnscurve and DNS hardening, was Re: Dan Kaminsky

Ben Scott mailvortex at gmail.com
Fri Aug 7 17:23:22 CDT 2009


On Thu, Aug 6, 2009 at 6:06 AM, Alexander Harrowell
<a.harrowell at gmail.com> wrote:
> 1) Authenticate the nameserver to the client (and so on up the chain to the
> root) in order to defeat the Kaminsky attack, man in the middle, IP-layer
> interference. (Are you who you say you are?)

 DNSSEC fans will be quick to point out that if everyone used DNSSEC,
there would be no need to worry about Kaminsky attacks, etc.  Nobody
would bother with them since nobody would be vulnerable to them.

 Of course, expecting universal deployment of *anything* is a bit
silly, so I think worrying about the transport might have been a good
idea, too.  But then, the standard was written 15 or so years ago,
when CPU power was more expensive.  Plus there's generally not a lot
of trust between DNS client and server anyway, so I'm not really sure
it matters.  (It's not like most ISPs issue PKI certificates to their
customers.)

 Something DNSSEC *can't* defend against is a simple DoS flood of
bogus questions/answers.  Of course, I don't really think DNSCurve
can, either.  Sure, it discards bogus packets, but it burns up a lot
of CPU time doing so, so you're that much more vulnerable to a DoS
flood.  But then, given sufficient resources on the part of the
attacker, there's really nothing anyone can do *locally* do defend
against a DoS flood.  Stuff enough data into *any* tube and it will
clog.

-- Ben




More information about the NANOG mailing list