To:
Derek Atkins <derek@ihtfp.com>
Cc:
dnssec@cafax.se
From:
Roy Arends <roy@dnss.ec>
Date:
Mon, 21 Jun 2004 21:10:12 +0200 (CEST)
In-Reply-To:
<sjmeko8n77u.fsf@dogbert.ihtfp.org>
Sender:
owner-dnssec@cafax.se
Subject:
dropping packets. Re: continued: rrsig(qtype)
On Mon, 21 Jun 2004, Derek Atkins wrote: > On the technical side, have you explored what a resolver does in the > face of an attacker dropping packets in a reply? I think it's clear > what a resolver can determine in all cases, but it might be helpful to > enerumerate the potential changes an attacker could make. I know a potential solution would be 'bad cache', as in, cache bad events to prevent aggression due to invalid signatures. In general, any nameserver will become aggressive when it is denied data. There is also the downgrade attack by deleting (some) RRSIGs in order to let the resolver assume only one RRSIG exists (it would be a downgrade attack if this RRSIG was signed by an experimental DNSKEY). I think this issue has been solved, but I'm not sure where this is written. It is an interesting exercise to enumerate potential damage by dropping record sets. I'll go and find out where I've written this out. Roy