[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[6bone] Request: two 6bone pTLAs

On 17-mei-04, at 0:25, Paul Jakma wrote:

> Damage at the moment is limited though, because recursive service at
> the moment is usually only provided to a small subset of "clients" -
> not the whole internet. Eg, the risk to $ISP is limited to evil
> clients of $ISP, not to the whole internet. A WKA public recursive
> DNS server would:

> - be open to poisoning by $EVIL-CLIENTs on the whole internet

> - the target audience of non-evil clients which would use this
> service and hence potentially be given poisoned DNS replies would be
> potentially the whole internet.

I'll skip over the point that anycasting limits all of this to a subset 
of the whole internet. In 1997, Alternic did some of this poisoning. 
They were quite successful at poisoning caches all over the place 
rather than just at their own ISP. It's not very hard to get someone to 
ask for some DNS data for which you are authorative. This is especially 
easy with email, and sometimes just visiting a web site is enough.

Anyone who is still vulnerable to this 7 years after the Alternic 
shennanigans is probably better of typing in addresses anyway.

> Well, the answer, allegedly, one day, is DNSSec and to have the root
> zones signed and trust established from that point down. But that
> will be a while. Until that day comes, I strongly feel that we should
> not mandate DNS resolvers to potentially fall back to a very
> exploitable public service.

Nobody is forcing anyone to USE this service. Any and all risks are 
only assumed by those who choose to use the service. As such, there is 
no reason not to run it just because it may be insecure. We *know* SMTP 
is insecure and still it's available all over the place.

>> 6to4 is a perfect example of what I want to do with WKA DNS
>> resolvers:

> Yes, I understand. The mechanics of the routing may be similar,
> however the security implications are quite different.

Yes, they are much worse for 6to4 because a malicious relay gets to see 
ALL traffic and launch man in the middle attacks.

> I feel that, unless there is reassurance from DNS gurus that
> poisoning would not be a problem, there should _not_ be a public
> service offering this.

I don't think my name is on the DNS guru list but I'm pretty sure this 
isn't an issue.