[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dns hop by hop transaction security for queries

To: Duane <duane@e164.org>
Subject: Re: dns hop by hop transaction security for queries
From: Paul Vixie <paul@vix.com>
Date: Mon, 21 Jul 2008 02:18:40 +0000
Cc: namedroppers@ops.ietf.org
In-reply-to: Your message of "Mon, 21 Jul 2008 09:35:59 +1000." <4883CBDF.2010902@e164.org>
References: <55957.1216574145@nsa.vix.com> <4883AC81.1080008@e164.org> <87989.1216595508@nsa.vix.com> <4883CBDF.2010902@e164.org>

> From: Duane <duane@e164.org>
> 
> Paul Vixie wrote:
> > i am especially attracted to any proposal that can be developed and
> > implemented without new protocol or API development, and which can be
> > deployed pairwise without any action at a distance by unknown parties.
> 
> ...
> 
> A trivial solution that wouldn't break anything might be just to prefix
> something to the front of all hostnames that both ends strip before
> processing them, 63 octets will give you 504 bits.

forget for a moment all your bad math (note, i can't count quatloos either.)
if we wanted to use the question section to hold more nonce bits, we'd set
QDCOUNT=2 and the second question would be for <longrandomthing>.ECHO and
the RFC on this topic would just say, if QDCOUNT is 2 and the TLD of the
second question is ECHO, then this must be copied into the response along
with the rest of the question section (bit for bit, to accomodate DNS-0x20),
and will not affect the processing of the response in any other way.

fallback would mean the server did not answer or sends a FORMERR or ignores
the second question.  since an of those can be spoofed by a downgrade attack,
this approach would require a more-than-two-packet negotiation sequence.

your approach of adding another label to the front of the QNAME of QDCOUNT=1
is also subject to downgrade attacks, and would require more-than-two-packet
negotiation as well.

if we're going to negotiate, then that means either DTLS or TKEY-over-TCP.
and if we're going to do TKEY-over-TCP then we should just use TSIG for the
queries.  whereas if we're going to use DTLS to negotiate then we should use
DTLS to protect the queries.  so, i can't find a case in which we would use
either an extra label in the question, or an extra question, to encode extra
bits.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- dns hop by hop transaction security for queries
  - From: Paul Vixie <paul@vix.com>
- Re: dns hop by hop transaction security for queries
  - From: Duane <duane@e164.org>
- Re: dns hop by hop transaction security for queries
  - From: Paul Vixie <paul@vix.com>
- Re: dns hop by hop transaction security for queries
  - From: Duane <duane@e164.org>

Prev by Date: Re: dns hop by hop transaction security for queries
Next by Date: Re: dns hop by hop transaction security for queries
Previous by thread: Re: dns hop by hop transaction security for queries
Next by thread: Re: dns hop by hop transaction security for queries
Index(es):
- Date
- Thread