On Jun 3, 2009, at 12:23 AM, Christian Huitema wrote:
Yes, security of DNSSEC is totally hop by hop.
Thus, you imply a definition of hop by hop along digital signature
relationships. Indeed, DNSSEC security is limited to the weakest
link along the chain from the bottom to the top of the DNS
hierarchy. Nothing new there. I don't think any DNSSEC expert ever
claimed differently.
Even in the presence of the "attack by a trusted party", there are
still huge differences between DNSSEC and "transport-hop-by-
transport-hop" security. Transport based solution, SCTP or TCP, are
open to attacks by any party in the path between two hops -- NAT
routers come to mind. DNSSEC is immune to such attacks, a big
advantage in practice.
Also, it is actually possible to improve on DNSSEC by introducing
additional knowledge. If two domains have an establish relation,
their servers can memorize the relevant public keys. If a host has a
relation with a domain, it can memorize that domain's public key.
This kind of "peer-to-peer" improvement makes the domain-to-domain
or host-to-domain DNSSEC service immune to attacks by nodes higher
in the hierarchy.
Private ad-hoc caching of keys would make DNS fairly fragile. While
the trust anchor issue for DNSSEC looms, DNS will remain prone to
inadvertently cached unsigned content. Benefits obtained by using
DNS over SCTP would be significant protection from out-of-path
poisoning, whether information is signed or not. Once DNSSEC is fully
implemented and trust anchor issues are resolved, information
contained within DNS would not depend upon transport protections.
When that might happen remains unknown. However, once DNSSEC becomes
widely adopted, the Internet may need protection from UDP/EDNS0 source
spoofing. For this, SCTP would offer protection from source spoofing
that DNSSEC does not prevent. EDNS0 should also have min/max limits
imposed, where packets of a greater size should be handled by SCTP.
The brute force strategy that allows DNS over UDP to cope with source
spoofing and misuse, also makes DNSSEC over UDP a greater risk. UDP
does not lend itself to being moderated or flow controlled, as some
suggest. Although TCP permits flow control, TCP is much more
vulnerable to resource exhaustion, creating significant costs when
defending TCP services compared to those using UDP or SCTP.
Reliability, performance and DDoS immunity makes SCTP an attractive
solution over TCP. SCTP should perform well as a transport for either
DNS or DNSSEC. SCTP would also provide improved security and
performance for HTTP as well. :^)
-Doug
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf