This is a discussion on Forgery Resistance phase #2 - DNS ; This message is sent in my role as chair with consent of my co-chair but without his editing help, thus any mistakes in this message are mine and only mine. The large volume of message over the last 2 weeks ...
This message is sent in my role as chair with consent of my co-chair
his editing help, thus any mistakes in this message are mine and only mine.
The large volume of message over the last 2 weeks related to how to make DNS
safer made me think about "what are all the different possible approaches?"
Below is a list of ideas I have heard mentioned or thought off.
The list is supposed to be as complete as possible, if there is anything
missing feel free to bring it up.
Some of the ideas are stupid or do not make sense but are documented here
for sake of completeness.
Deployment of some of these ideas can be done real soon, others require
extensive software upgrades. The final solution selection may include more than
one ideas below as there is frequently not just one solution.
The goal of this email is that the WG is in a position to know that it is
selecting from a "complete set" of solutions When/IF the WG (or DNSOP WG)
decides that it should attempt to document/recommend more approaches than
what was covered in the FR-draft.
Covered in FR draft:
Randomness possibilities that originators have:
Destination Address 
Case games (like x20)
Multiple identical questions 
Repeat question 
Spread question to number of nameservers. 
Delay question 
Time spaced repeated questions 
"random" TCP query 
What Destinations can do to increase protection:
More addresses: 
Protections that require both parties collaboration:
TKEY + TSIG/SIG(0)
SIG(0) Destination Protocol/port 
Query name hacks (pre and post fixes) 
EDNS ECHO 
QCount > 1 
QClass top bit 8 redefinition 
IPsec tunnels 
IPv6 preference 
Steps that resolvers can take to protect them self:
and react to forgery attempts.
Steps that Operators of Authorative servers/zone owners can take:
Deploy only current software
Update ACL rules to reflect current recommended DNS port usage.
 Destination Address: Many implementations go to first name server in an
NS set all the time, some go to the one they know is closest or go
to the one that they know has answered a query in the past, one they
have an A record for, etc.
From security point of view always selecting a random server is the
best one. From an operating point of view this may/will cause more
delays/errors. For high availability zones with short names having
large NS sets is an possible source of randomness for example "." has
13 A address this adds 3.5 bits of randomness for resolvers that use
random selection. By expanding this to randomly select IPv4 and IPv6
as transport for query another bit can be added.
 Destination Port: Another potential source for randomness is to reserve
4 - 16 ports that DNS servers MUST listen on. 16 ports add 4 bits of
 This relates to adding
.QNAME in query section or
or even if QNAME is a.b.c to do
.b.c or a.b. .c
is in this case has a known prefix in the first label
that is registered with IANA so people can avoid it,
is multiple labels the first label should encode
how many bytes or labels to strip.
 EDNS Echo: A simple option to EDNS that instructs a server to copy back
this option in the answer or the answer is not to be trusted.
The contents of the option is random data unique to the query.
 In this case a resolver fires a number of identical questions off and
expects to get the same number of identical answers.
 In this case the resolver repeats the question after getting an answer,
it expects an identical answer.
 Spread question to a number of nameservers/recursive resolvers,
expects to get back identical answers from all.
 Here the resolver waits for a short random time before sending the
question but it is listening for answers from the time it forms
This is to detect forgery attack before sending the question.
 In this case the resolver sends queries that are spaced in time
and it expects the answers to come back in the same order as sent the
time between second and subsequent answers should approximate
the transmission time.
 More designation addresses, larger NS sets potentially offer more
protection as the client has more addresses to choose from.
 TCP queries are controversial as they require more state and overhead.
Over the last few years we have seen TCP stacks optimized for handling
large number of TCP connections thus the assumptions for not using TCP
for DNS should be reexamined and requiring TCP port to be available on
authorative servers will allow clients to fall back on TCP in
 IPSEC: this is an option when there is strong relationship between two
DNS entities, it is not clear how applicable this it is in the random
resolver talking to random server.
 Right now about 4 classes are defined in the IANA registry. Use
of new classes is difficult to say the least. For this reason it is tempting
to steal some of these unusable bits into help protect the protocol.
The proposal is to redefine the top 8 bits into a QID and servers would
ignore these bits when checking class answer but echo them back in the
 QCOUNT > 1 is currently not allowed but could be used to add
the query if the second query is ignored in the answer processing
but is copied into the answer. There are number of different possibilities
in how the randomness is expressed in the: label, QCLASS, QTYPE or all.
 IPv6 preference for queries, A resolver can cycle through many
privacy address to increase source address randomization.
Sorry for the lack of attributions in this posting, if/when this becomes an
an ID that will be fixed.
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.