North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: The DDOS problem & security BOF: Am i mistaken?
"Christopher Morrow" <morrowc.lists@xxxxxxxxx> writes: > On Wed, Oct 15, 2008 at 4:05 PM, Warren Kumari <warren@xxxxxxxxxx> wrote: >> >> On Oct 14, 2008, at 12:08 PM, Scott Doty wrote: > >>> When a vendor at the security BOF starts showing documents that are >>> "company confidential", and trying to whip up a climate of fear, that >>> we should all deploy their product in front of our recursive name >>> servers, i get this funny feeling that I am being "murk spammed". >> >> ... I did not get the impression AT ALL that he was trying to sell his >> service, but rather provide better service to his existing customers, >> even going so far as to provide free devices to people who run large >> recursive resolvers. ... i've heard the following concerns about this free device expressed to me. first, its value-add is its proprietary relationship to one dns authority (ultradns), so if neustar deploys a lot of them it will create third party incentive among domainholders to move their authority service to neustar. so while other commercial authority dns vendors (such as nominum or microsoft) might be willing to license this proprietary technology from neustar and we can all assume that there are commercial terms under which neustar would do this, we can also expect that domainholders who prefer to self-host using f/l/oss (bind, nsd, tinydns, powerdns, etc) won't have that option. rodney said it was necessary that neustar not have to wait for the standards community before deploying this service, but noone asked him why he hasn't open-sourced his solution so that other dns authority suppliers can also benefit from the recursive-dns frontend boxes he's giving away. i know that neustar is in the business of selling outsourced authority dns, so i understood scott doty's comments as referring to the pressure a large deployment of free recursive-dns frontend boxes will put on anyone who isn't a neustar customer to please become a neustar customer so that their zones will be safer. second, there's no real possibility that someone who deploys a free neustar box inline/upstream of their recursive dns server would also deploy a second one if anyone else with a proprietary solution wanted to follow neustar's example. rodney did not say whether the front-end boxes were user programmable or whether he planned to make it possible for competitors of neustar to embed their solutions in this free box. rodney also did not say how many boxes would be available for free before neustar would have to start charging for them, nor whether the price at that point would represent cost recovery or also be a profit center for neustar. these questions also appear (to me) to be implied by scott doty's original question. now for my own concerns. > it's probably also worth noting that the person in question has a > history of giving away this sort of protection (in other forms) for > the DNS system... and innovating as a DNS service provider, both for > free (howdy: 126.96.36.199) and for a price.... I'm not sure I'd classify > anything he does as a sales pitch in the venue in question. in spite of my great admiration for rodney's lifetime of contribution, i do not see any natural consequence toward dnssec from this dns frontend giveaway. i have total confidence that the solution will work, and reasonable confidence that it will indirectly improve neustar's revenue outlook, but no confidence that anyone who wasn't planning to deploy dnssec in their product or network will, as a result of rodney's work, decide to deploy dnssec. far better in my opinion would be for rodney to sign all the zone he carries (keeping the keys he has to generate in escrow to be surrendered to the domainholders upon demand with a reasonable escrow and transfer fee), and to either start his own DLV registry or to offer free secondary service to ISC's DLV registry, and to submit all his customer keys to whichever DLV registry he decided upon. anyone running BIND 9.3.0 (not 9.6.0 as was mentioned -- we're talking about old and somewhat stable code here) can just speak DLV directly. anyone who can and wants to upgrade to BIND with its DLV support can do that. anyone else could install a free recursive dns frontend box from neustar that would do inline DLV. but there's a pure software-only solution that would work. (noting that in rodney's preso he spoke of the many folks who have never upgraded their nameservers, are still running BIND4, etc, but for the larger recursive dns operators this isn't how they work and they can deploy new code, and it would be very easy for nominum-ans and nlnetlabs-unbound to implement DLV, which is unencumbered even though never subject to IETF delays.) it's easy to assume that my worry about this is as someone in the authority dns business whose customers (the vast majority of whom pay nothing), who stands to lose market share when rodney starts pushing his boxes into the field. but since i've been giving away free shovels to people who mostly want to buy holes, and rodney sells holes, i think that ship has already sailed. the baser knee-jerk reaction underlying my discomfort is that isc's mission statement (front and center at www.isc.org) values the autonomy of the internet's participants. dnssec does that. a dnssec-based solution, or a dnssec-leveraging solution, does that. rodney's plan doesn't do that. i'd welcome raw data about dns poisonining events, too. we're scanning the hell out of all the open recursives, and we're not finding much poison, in spite of all the "please stop querying our nameserver!" complaints we incite. so while i want dnssec, i'm pretty comfortable with 16-bit port randomization as a stopgap. rodney's free inline recursive dns frontend could just do 16-bit port randomization if all we want is an until-there-is-dnssec stopgap. -- Paul Vixie