[ratelimits] error in amplification attack

P Vixie paul at redbarn.org
Wed Nov 14 03:34:05 UTC 2012 

A referral from a signed zone to a signed sub zone will include a signed ds rr set. Ns rr sets and glue a or aaaa rr sets by comparison are not signed in the parent and therefore not signed in the delegation response. Nor will there be any dnskey records or nsec records. But signed delegations will still be uncomfortably large when received from some orbital death ray projector when it receives a spoofed query flow with your source address.

An upward delegation is actually a protocol error but a lot of older servers especially bind do send them. Oops, sorry about that. They should never be signed though.

Paul

Vernon Schryver <vjs at rhyolite.com> wrote:

>> From: Andrew Sullivan <ajs at crankycanuck.ca>
>
>> > Which overhead is meant, maintaining a list of valid TLDs or rate
>> > limiting response to requests TLDs?  
>>
>> Surely both.  Neither is free.  REFUSED (and so on) all sounds to me
>> cheaper than spinning up rate limiting infrastructure for a condition
>> that could change in future when the relevant TLD gets delegated.
>
>On the contrary, I think letting the RRL patches send neither a
>referral
>nor an error response of REFUSED or NXDOMAIN is cheaper than spending
>the CPU cycles and bandwidth to marshal and send the response.
>
>
>> > A DNSSEC referral from the gTLD roots gives about amplification of
>> > about 14X.
>>
>> What is a DNSSEC referral?  I don't think such referrals are signed,
>> are they?
>
>I doubt DNSSEC would be secure if referrals could be forged
>undetectably.
>
>Try `dig +trace crankycanuck.ca` or 
>`dig +dnssec crankycanuck.ca @a.root-servers.net` and notice the
>RRSIG and NSEC RRs as well as the ~12X amplification.
>http://stats.research.icann.org/dns/tld_report/ says that .ca is
>not yet signed.  I guess that's why I can't get signatures from the
>authorities for .ca for their referrals.
>
>
>Vernon Schryver    vjs at rhyolite.com
>_______________________________________________
>ratelimits mailing list
>ratelimits at lists.redbarn.org
>http://lists.redbarn.org/mailman/listinfo/ratelimits

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20121114/b6998a25/attachment.htm>

More information about the ratelimits mailing list