[161899] in North American Network Operators' Group
Can we not just fix it? WAS:Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Michael DeMan)
Thu Mar 28 04:11:26 2013
From: Michael DeMan <nanog@deman.com>
In-Reply-To: <CAP-guGWQjOVEJ4OCEn3sJuHLwq-hwg=g-7WdzAuhj77Uj3i4Cg@mail.gmail.com>
Date: Thu, 28 Mar 2013 01:11:07 -0700
To: William Herrin <bill@herrin.us>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
AsI think as we all know the deficiency is the design of the DNS system =
overall.
No disrespect to anybody, but lots of companies make money off of the =
design deficiencies and try to position themselves as offering 'value =
add services' or something similar. Basically they make money because =
the inherent design of the DNS system is the antithesis of being able to =
deliver information on a best effort basis. Entire 'value add' economic =
ecosystems are created with these kinds of things and once it is done, =
it is extremely difficult to un-do.
If the endpoint is not available or is unreliable, this is all well =
understood and 100% captured in the modern implementations of the =
Internet with it be OSI or TCP/IP and even with numerous extensions from =
there.
The fundamental cause and source of failure for these kinds of attacks =
comes from the the way the DNS (and lets not even get into 'valid' SSL =
certs) is designed. It is fundamentally flawed. I am sure there were =
plenty of political reasons for it to have ended up this way instead of =
being done in a more robust fashion?
For all the gripes and complaints - all I see is complaints of the =
symptoms and nobody calling out the original cause of the disease?
On Mar 27, 2013, at 6:47 AM, William Herrin <bill@herrin.us> wrote:
> On Tue, Mar 26, 2013 at 10:07 PM, Tom Paseka <tom@cloudflare.com> =
wrote:
>> Authoritative DNS servers need to implement rate limiting. (a client
>> shouldn't query you twice for the same thing within its TTL).
>=20
> Right now that's a complaint for the mainstream software authors, not
> for the system operators. When the version of Bind in Debian Stable
> implements this feature, I'll surely turn it on.
>=20
> Regards,
> Bill Herrin
>=20
>=20
> --=20
> William D. Herrin ................ herrin@dirtside.com bill@herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
>=20
