North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: DNS was Re: Internet Vulnerabilities
At 9:07 AM +0200 2002/07/15, Måns Nilsson quoted Simon Waters <Simon@wretched.demon.co.uk> as saying:
I would guess the "." zone probably isn't that large in absolute terms, so large ISPs (NANOG members ?) could arrange for their recursive servers to act as private secondaries of ".", thus eliminating the dependence on the root servers entirely for a large chunks of the Internet user base.
1266 A records 1243 NS records 1 SOA record 1 TXT record Currently, B, C, & F are open to zone transfers.
I think the kinds of zones being handled by the gtld-servers would be harder to relocate, if only due to size, although the average NANOG reader probably has rather more bandwidth available than I do, they may not have the right kind of spare capacity on their DNS servers to secondary ".com" at short notice.
Edu is pretty good size: 17188 NS records 5514 A records 1 SOA record 1 TXT record A complete zone transfer comprises some 1016491 bytes.
I disagree. This is only going to help those ISPs that are clued-in enough to act as a stealth secondary of the zone, and then only for those customers that will be using their nameservers as caching/recursive servers, or have their own caching/recursive servers forward all unknown queries to their ISPs. I'm sorry, but that's a vanishingly small group of people, and will have little or no measurable impact.All I think root server protection requires is someone with access to the relevant zone to make it available through other channels to large ISPs. There is no technical reason why key DNS infrastructure providers could not implement such a scheme on their own recursive DNS servers now, and it would offer to reduce load on both their own, and the root DNS servers and networks.
Better would be for the root nameservers to do per-IP address throttling. If you send them too many queries in a given period of time, they can throw away any excess queries. This prevents people from running tools like queryperf on a constant basis from excessively abusing the server.
Indeed, some root nameservers are already doing per-IP address throttling.
Keep in mind that some ccTLDs are pretty good size themselves. The largest domain I've been able to get a zone transfer of is .tv, comprising some 20919120 bytes of data -- 381812 NSes, 72694 A RRs, 5754 CNAMEs, and 3 MXes.In practical terms I'd be more worried about smaller attacks against specific CC domains, I could imagine some people seeing disruption of "il" as a more potent (and perhaps less globally unpopular) political statement, than disrupting the whole Internet.
Any zone that is served by a system that is both authoritative and public caching/recursive is wide-open for cache-poisoning attacks -- such as any zone served by nic.lth.se [188.8.131.52].
Who said that the root nameservers were geographically diverse? I don't think the situation has changed much since the list at <http://www.icann.org/committees/dns-root/y2k-statement.htm> was created. I don't call this geographically diverse.Similarly an attack on a commercial subdomain in a specific country could be used to make a political statement, but might have significant economic consequences for some companies. Attacking 3 or 4 servers is far easier than attacking 13 geographically diverse, well networked, and well protected servers.
Except for the performance issues, IMO ccTLDs should be held to the same standards of operation as the root nameservers, and thus subject to RFC 2010 "Operational Criteria for Root Name Servers" by B. Manning, P. Vixie and RFC 2870 "Root Name Server Operational Requirements" by R. Bush, D. Karrenberg, M. Kosters, & R. Plzak.I definitely agree. ccTLDen are in very varying states of security awareness, and while I believe .il is aware and prepared, other conflict zone domains might not be...
Those of you who are interested in this topic may want to drop in on my invited talk "Domain Name Server Comparison: BIND 8 vs. BIND 9 vs. djbdns vs. ???" at LISA 2002. Root & TLD server issues will figure heavily in comparison. ;-)
Brad Knowles, <email@example.com>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.