[ratelimits] "on the time value of security features in dns"

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Sep 16 17:52:36 UTC 2013

Hi Paul,

On 09/16/2013 06:12 PM, Paul Vixie wrote:
> Stephane Bortzmeyer wrote:
>> On Fri, Sep 13, 2013 at 11:30:27AM -0700,
>>  Paul Vixie <vixie at fsi.io> wrote 
>>  a message of 10 lines which said:
>>> http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/
>> See also the similar
>> <http://www.nlnetlabs.nl/blog/2013/09/16/rrl-slip-and-response-spoofing/>
> for the record, the nlnetlab blog article cited above leaves deliberate
> doubt as to whether slip=1 is safe in the specific case where dnssec is
> not in use. i think this is wrong in two ways.
> first, the question isn't just whether the zone has been signed, but
> also whether all important queriers are doing validation. that is, if
> dnssec is a get-out-of-"slip=2"-free card, then it's got to be measured
> end to end.

You are right, it is only true if also validation is in place. But we
feel that with signing your zone, you did at least your part when it
comes to countering cache poisoning attacks and slip 2 is the better
choice when it comes to countering reflection attacks. Thus, we think
that signing your zone + rrl with slip=2 is the best setting for an
authoritative name server.

If resolvers suffer from cache poisoning, I would say: let them turn on

> second, dnssec doesn't matter. the risk of "slip=2" is so small compared
> to the risk of unattenuated packet reflection (even without
> amplification at the octet level) that noone shouldbe advised to
> consider "slip=1".

In the case that you are not able to do DNSSEC, we acknowledge the
issues raised by the ANSSI report. And we want to inform our users the
trade-off between slip 1 and 2 in that case.

> slip=1 amounts to a self-DoS by the server operator against his own
> server, since it encourages real victims to depend solely on TCP which
> is way more fragile than UDP, and also bypasses the fundamental intent
> of an RRL-using operator by which i mean it fails to make the RRL-using
> server unattractive to bad guys.

That is a nice additional consideration for people to take into account
when making a decision for the slip configuration, thanks. Though I
would like to see measurements of how much additional TCP traffic that
really triggers towards the authoritative name server.

To conclude: The advise the blog tries to carry out is: sign your zones
and use rrl with slip=2. You can't rely solely on rrl to solve your
reflection *and* response spoofing problems.

Best regards,

> i won't be making either point in public unless the discussion continues
> in public.

> vixie
> _______________________________________________
> ratelimits mailing list
> ratelimits at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/ratelimits

More information about the ratelimits mailing list