Re: namedroppers, continued

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 03 Dec 2002 08:21:22 PST, you said:

> Stop blustering, you clearly did not know the difference between
> a CRL and OCSP and certainly have no real world experience of
> operating PKI on which to base your broad assertions.

I said "total process".  The process failure described in the CERT
advisory didn't care if it was a CRL, OCSP, a X.509 certificate, or
a piece of paper scotch-taped to one end of a tin-cans-and-string link
that says "Don't use unless your name is Fred".

I admit I don't do any PKI per se.  What I *do* have is over 2 decades
of making a good living at cleaning up the mess when people misconfigure
things.  So I'm reading RFC2560 and see this in section 5:

    A denial of service vulnerability is evident with respect to a flood
   of queries. The production of a cryptographic signature significantly
   affects response generation cycle time, thereby exacerbating the
   situation. Unsigned error responses open up the protocol to another
   denial of service attack, where the attacker sends false error
   responses.

and I combine that with the research out of CAIDA I cited earlier that showed
98% of DNS queries to a root nameserver being broken, and my experience
tells me that This Is A Train Wreck Waiting To Happen.

The only mitigating factor here is that section 2.5 allows the precomputing
of a response and associated signature.

> You appear to be confusing CRLs with OCSP. Try reading the OCSP
> spec, I wrote the original section on caching responses.

Hmm... I've checked RFC2560, and didn't find anything significant about caching
other than "beware HTTP proxies with broken caching" (or did you mean the
precomputation of responses in section 2.5)?  Also, is there a spec for a DNS
RR to supplement the serviceLocator extension of 2560 section 4.4.6?  That
would also help to minimize and distribute the load (as the OCSP RR could be
lumped in with the other DNS RR's for DNSSEC processing - handing back the OCSP
info in an "additional info" field then saves you another resource hit when an
OCSP query gets made.
-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

Attachment: pgp00159.pgp
Description: PGP signature

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]