[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DS status? (Fwd)
In message <Roam.SIMC.2.0.6.1044559689.9494.nordmark@bebop.france>, Erik Nordma
rk writes:
>>----------------Begin Forwarded Message----------------<
>
>Date: Thu, 06 Feb 2003 14:05:10 -0500 (EST)
>From: "Olafur Gudmundsson" <ogud@ogud.com>
>Subject: Re: DS status?
>To: "Erik Nordmark" <Erik.Nordmark@Sun.COM>
>Cc: "Randy Bush" <randy@psg.com>, "Olafur Gudmundsson" <ogud@ogud.com>
>
>
>
>
>On Thu, 6 Feb 2003, Erik Nordmark wrote:
>
>>
>> So is the remaining issue(s) with ds-12 an issue about missing protocol
>> magic, or just getting the text right?
>>
>
>The issue is "bad interaction with software that implements RFC2535".
>DS-12 specifies that secure zone answers for a insecure delegation with a
>referral containing NS and NXT records in the authority section.
>One widely distributed implemetation looks in the message and sees the NXT
>and thinks: DOES NOT EXIST proof.
>This is done without looking into the NXT and can be used as DoS attack
>against installed base.
>Possible solutions include:
> renumber DNSSEC records or at least the NXT record
> Have different flag in ENDS header to indicate DS awareness and
> only then hand out the NXT.
>
>I think renumbering the NXT is a better soluiton but this issue needs to
>be discussed more, once this is decided I can update DS and we are done .
>(how often have I said that ?)
>
Sam Weiler and I discussed this on Monday. Renumbering the DNSSEC
records struck me as the obvious (and easiest) solution.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)