[rbldnsd] Feature request: DNSSEC

Victor Duchovni Victor.Duchovni at morganstanley.com
Thu Jul 10 22:28:08 MSD 2008 

On Thu, Jul 10, 2008 at 10:20:17PM +0400, Michael Tokarev wrote:

> Victor Duchovni wrote:
> > On Thu, Jul 10, 2008 at 09:28:40AM -0700, Jeff Chan wrote:
> > 
> >> Hi Michael,
> >> In light of the recent DNS cache poisoning exploits identified,
> >> may I request DNSSEC for rbldnsd?  Obviously this could add very
> >> significant overhead but it could help prevent alteration of DNS
> >> responses in a remote cache.
> > 
> > The SpamHaus PBL contains ~420 million logical RRsets. Each would have
> > to be individually signed. All the individual IPs in the zone (instead
> > of rather large efficiently stored CIDR blocks) would need a separate
> > record in the RBL zone file. Rsync feeds of PBL would become essentially
> > impossible.
> 
> Or let rbldnsd to sign replies on the fly, giving it the necessary key(s).
> It's a trade-off between being unrealistic and providing some protection.
> After all, signing key security isn't more important than the data it
> protects.
> 
> But I still don't think it's necessary to implement.  All this current
> fuzz about DNS insecurities, with "DNSSEC" written over everything...
> There are far more important points to attack than a DNSBL.  And even
> if a DNSBL is being attacked, it's usually some sort of DDoS attack
> against DNSBL itself.

And on-the-fly signing will severely degrade performance under DDoS
conditions. If the (ideally in-bailiwick) "NS" records of the RBL zone
could be signed, without signing the rest of the zone, that could be
beneficial.  Individual IP entries are not IMHO a high value target.

Sadly, it is not possible to mark NS records as "terminal" (no delegations
possible below this point), and without such terminal records, signing
the NS records alone is not particularly effective, so the "If" above is
mere wishful thinking...

-- 

 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

More information about the rbldnsd mailing list