To:
iesg@ietf.org
Cc:
dnsop@cafax.se
From:
"D. J. Bernstein" <djb@cr.yp.to>
Date:
9 Mar 2000 02:38:03 -0000
Sender:
owner-dnsop@cafax.se
Subject:
Re: Last Call: Root Name Server Operational Requirements to BCP
I continue to object to opreq on security grounds.
The following table summarizes the security situation from an attacker's
perspective (assuming unpredictable query ports and IDs---true for many
caches now, and presumably almost all caches in a few years):
DNS Trivial to break from anywhere.
DNS+opreq Trivial to break from anywhere.
DNS+opreq+inzone Need to sniff or send billions of forgeries.
DNS+dnssec Need to subvert one of the signers.
DNS+dnssec+opreq Need to subvert one of the signers.
DNS+dnssec+opreq+inzone Need to subvert one of the signers.
Explanation of the symbols:
* opreq: the security practices required in opreq-03 and opreq-04,
such as avoiding insecure software on central DNS servers;
* inzone: the very low-cost, and fairly common, practice of using
in-zone _names_ for NS records;
* dnssec: the very high-cost, and currently mythical, practice of
creating and verifying IANA+NSI+... signatures.
The opreq authors appear to believe that opreq by itself adds security.
That belief is incorrect, as my bugtraq message demonstrates.
On the other hand, opreq+inzone would drastically increase the
attacker's expense, at the trivial cost of changing a few NS names.
---Dan