To:
Miek Gieben <miekg@nlnetlabs.nl>
cc:
Simon Josefsson <jas@extundo.com>, dnssec@cafax.se
From:
Olafur Gudmundsson <ogud@ogud.com>
Date:
Wed, 4 Jul 2001 09:12:50 -0400 (EDT)
In-Reply-To:
<20010704141228.C37537@atoom.net>
Sender:
owner-dnssec@cafax.se
Subject:
Re: ttl problems in DNSSEC
On Wed, 4 Jul 2001, Miek Gieben wrote: > [On 03 Jul, 2001, Olafur Gudmundsson wrote in " Re: ttl problems in DNSSEC "] > > At 10:41 AM 6/29/2001, Miek Gieben wrote: > > > > > > [1]: perhaps the resolver is able to detect this situation by > > > > comparing the key tag field on S++2(A) with K++1, and then try get > > > > more recent data. > > >then you propose that if data is BAD an extra query for the key most be > > >done? I'm afraid this will yield too many extra queries... > > > > Not a problem this will only happen once in a long while, thus when this > > happens extra query is fine. > so you are saying if there is bad data it is okay to requery for stuff > you need? (Another key for instance) Yes if you discover another key is needed then you need to get it. > > I think it is pretty easy for an attacker to fake bad data and thus > generate a huge amount of extra queries. Those queries must alwyas be > validated (as bad data isn't cached) thus generating an extra load on > the nameserver. I know, the simplest one is to toggle the key id's on the signatures. > > (is this the old DNSSEC doesn't protect you against DOS attacks? (but > makes them very easy to do)) > Exactly, that is why you should try to use TSIG/TKEY or TLS or IPSEC when frequently talking to nameservers. > > The real problem here is that K++1 was removed before data signed with it > > expired from caches, this MUST only be done in emergency. > > In most cases K++1 should remain in the keyset long enough for zone signed > > by K++2 to propagate to slaves and then time out in caches. > I agree, a statement along those lines will be put in the BCP, Good look forward to seeing the BCP. Olafur