[ratelimits] "on the time value of security features in dns"

Paul Vixie paul at redbarn.org
Mon Sep 16 16:12:56 UTC 2013

Stephane Bortzmeyer wrote:
> On Fri, Sep 13, 2013 at 11:30:27AM -0700,
>  Paul Vixie <vixie at fsi.io> wrote 
>  a message of 10 lines which said:
>> http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/
> See also the similar
> <http://www.nlnetlabs.nl/blog/2013/09/16/rrl-slip-and-response-spoofing/>

for the record, the nlnetlab blog article cited above leaves deliberate
doubt as to whether slip=1 is safe in the specific case where dnssec is
not in use. i think this is wrong in two ways.

first, the question isn't just whether the zone has been signed, but
also whether all important queriers are doing validation. that is, if
dnssec is a get-out-of-"slip=2"-free card, then it's got to be measured
end to end.

second, dnssec doesn't matter. the risk of "slip=2" is so small compared
to the risk of unattenuated packet reflection (even without
amplification at the octet level) that noone shouldbe advised to
consider "slip=1".

slip=1 amounts to a self-DoS by the server operator against his own
server, since it encourages real victims to depend solely on TCP which
is way more fragile than UDP, and also bypasses the fundamental intent
of an RRL-using operator by which i mean it fails to make the RRL-using
server unattractive to bad guys.

i won't be making either point in public unless the discussion continues
in public.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130916/aaa10b49/attachment.htm>

More information about the ratelimits mailing list