[dnssec-deployment] DNSSEC deployment hurdles
Mark Andrews
marka at isc.org
Mon Aug 31 10:16:18 EDT 2009
In message <list-17987952 at execdsl.com>, bert hubert writes:
> On Mon, Aug 31, 2009 at 12:38 AM, Paul Wouters<paul at xelerance.com> wrote:
> >> It turns out that BIND, which is reputed to use 'do=1' queries, and
> >> should thus expose these problems, actually drops EDNS (and with it
> >> the do bit) on timeouts.
> >
> > I hope it is more subtle then that, because else bind would be vulnerable
> > to a very easy bid-down attack from dnssec to non-dnssec.
>
> Indeed - the measurements I did were for 'the default out of the box
> BIND', as shipped by Ubuntu 9.04.
>
> If one configures a trust anchor for that version ('9.5.1.dfsg.P2'),
> the behaviour is entirely different, with that version not even
> falling back to TCP for secured domains in case of large packets
> failing to arrive (!).
You need to ask Ubuntu what they did. BIND 9.5.1, as shipped by us,
will fall back to TCP but the query will be plain DNS. See the bug
below.
> Investigating this further to see if this issue is present in current
> versions of BIND. The effect of this is that in my testing setup,
> which blocks fragments, BIND 9.5.1 as modified by Ubuntu, is unable to
> do any DNSSEC validation at all (since it never is able to retrieve
> the DNSKEY).
>
> The reason I care is that deployers will typically "see" DNSSEC
> through the glasses of their favorite resolver (BIND), and it appears
> that at least in this version, no fragments means no DNSSEC. And that
> means a 8-13% failure rate.
>
> But I might be wrong, or newer versions may have fixed this behaviour.
> So take it with a grain of salt.
>
> Bert
Can I suggest that you try BIND 9.6.1 which includes:
2564. [bug] Only take EDNS fallback steps when processing timeouts.
[RT #19405]
This is in BIND 9.5.2. BIND 9.5.2b1 should be out this week.
I've run BIND 9.6.1 behind firewalls which drop fragments and
firewalls which drop anything bigger than 512. Validation still
works in both cases.
Mark
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/Lists/dnss
> ec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the Dnssec-deployment
mailing list