[Ach] DNSSEC and reference/mention to it
klaus.darilion at nic.at
Tue Feb 4 12:16:08 CET 2014
Just to mention another small benefit: DNSSEC is necessary to prove that
a domain does not exist - TLS can not help here, as there is not TLS
On 04.02.2014 08:43, Arsen STASIC wrote:
> @azet: DDoS utilizing DNSSEC is already an issue we have run into:
> First attacks appeared in autumn 2012, in January 2013 ccTLD .ch was
> under attack
> and in March 2013 spamhouse.org
> Software vendors have added RRL (Response Rate Limiting) to address
> DNSSEC DDos. Since bind 9.9.4 its part of ISC's official bind release.
> Red Hat took the RRL-patch and deployed it to REHL 6
> (bind-9.8.2-0.17.rc1.el6). Ubuntu also ships bind with RRL since
> version 9.8.4.dfsg.P1-5. And other vendors beside ISC (bind) also ship
> patched versions for their nameserver software:
> NSD: http://www.nlnetlabs.nl/projects/nsd/
> Knot DNS: https://www.knot-dns.cz/
> Regarding deployment of DNSSEC-zones:
> @Julien: DNSSEC just checks the integrity of DNS. It's not more than
> that. In order to check signatures an DNSSEC enabled resolver is also
> Is it worth the effort? I do not know. But how could you with TLS
> prevent, that someone has not changed DNS and points you somewhere else?
> Who is really tracking if an certificate authority has changed in oder
> to have evidence that possibly someone tries to redirect you? I have no
> answers to that but DNSSEC can address it!
> Everyone hat to decide on its own, if it's worth the effort. We are just
> providing howtos to everyone.
> * Aaron Zauner <azet at azet.org> [2014-02-03 18:02 (+0100)]:
>> So,.. does anybody remember this talk by DJB on DDOS via the DNSSEC
>> protocol: http://cr.yp.to/talks/2009.08.10/slides.pdf
>> I'm not that up-to-date on that, but as far as I know this issue presists,
>> On Mon, Feb 3, 2014 at 5:24 PM, Julien Vehent <julien at linuxwall.info> wrote:
>>> On 2014-02-03 11:04, Alexander Wuerstlein wrote:
>>>> On 14-02-03 17:00, Julien Vehent <julien at linuxwall.info> wrote:
>>>>> There has been a lot of discussions on whether DNSSEC adds security when
>>>>> already using TLS at the protocol level. The main argument is that both
>>>>> TLS and DNSSEC use a 3rd party trust model, and thus have the same level
>>>>> of security. If an attacker can obtain a certificate for example.net, he
>>>>> should be capable of obtaining a signed DNS record for example.net.
>>>>> The question is then: is DNSSEC worth the effort?
>>>> That is a very HTTP-centric view of things which is only valid if there
>>>> is nothing else. But redirecting SMTP connections via faked DNS entries
>>>> is still a problem even with TLS since SMTP only uses opportunistic
>>>> encryption with minimal or no checks. Other protocols may have similar
>>>> (albeit similarly stupid) problems, so yes, DNSSEC is worth the effort,
>>>> at least until every protocol does TLS properly and always.
>>> HTTP is irrelevant here. The same security concept applies to any protocol
>>> that relies on TLS. What you are discussing can be broken down in 3
>>> 1. transport protocol is cleartext
>>> 2. transport protocol uses opportunistic encryption (STARTTLS)
>>> 3. transport protocol enforces TLS
>>> I am only challenging the level of security that DNSSEC adds in category 3.
>>> For category 1 and 2, we could argue that the need for transport level
>>> encryption is still there, and not covered by DNSSEC. Thus, does DNSSEC
>>> a problem that is worth the (significant) effort it takes to deploy it.
>>> Or would that time be better spent enforcing TLS on those services?
>>> (you can tell you smtp client to require STARTTLS, btw)
>>> - Julien
>>> Ach mailing list
>>> Ach at lists.cert.at
>> Ach mailing list
>> Ach at lists.cert.at
> Ach mailing list
> Ach at lists.cert.at
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ach