Preventing Use of Recursive Nameservers in Reflector Attacks
draft-ietf-dnsop-reflectors-are-evil-06
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
06 | (System) | post-migration administrative database adjustment to the No Record position for Cullen Jennings |
2012-08-22
|
06 | (System) | post-migration administrative database adjustment to the No Objection position for Tim Polk |
2008-09-17
|
06 | (System) | IANA Action state changed to No IC from In Progress |
2008-09-17
|
06 | (System) | IANA Action state changed to In Progress |
2008-09-15
|
06 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
2008-09-15
|
06 | Amy Vezza | IESG state changed to Approved-announcement sent |
2008-09-15
|
06 | Amy Vezza | IESG has approved the document |
2008-09-15
|
06 | Amy Vezza | Closed "Approve" ballot |
2008-09-13
|
06 | Ron Bonica | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Ron Bonica |
2008-09-08
|
06 | Tim Polk | [Ballot Position Update] Position for Tim Polk has been changed to No Objection from Undefined by Tim Polk |
2008-09-08
|
06 | Tim Polk | [Ballot Position Update] Position for Tim Polk has been changed to Undefined from Discuss by Tim Polk |
2008-09-01
|
06 | (System) | New version available: draft-ietf-dnsop-reflectors-are-evil-06.txt |
2008-07-29
|
06 | Tim Polk | [Ballot discuss] [This is a yet another revised discuss; after discussion with Paul Hoffman, the issues I inherited from Sam are now considered resolved. We … [Ballot discuss] [This is a yet another revised discuss; after discussion with Paul Hoffman, the issues I inherited from Sam are now considered resolved. We are now down to one simple issue.] The security considerations sections correctly states that it "does not create any new security issues", but the three techniques proposed by the document do have security issues. These should be mentioned. For TSIG, RFC 2845 already provides a reasonable description of the security considerations, so a pointer should suffice. For SIG(0), the Security Considerations of RFC 2931 and 2535 apply, and should be noted. The security considerations for 2931 and 2535 seem thin, I would encourage teh authors to consider whether they should augment those considerations. (I will clear based on a reference, though.) |
2008-03-25
|
06 | Amy Vezza | State Change Notice email list have been change to dnsop-chairs@tools.ietf.org, pk@isoc.de from dnsop-chairs@tools.ietf.org |
2008-03-19
|
06 | Tim Polk | [Ballot discuss] [This is a yet another revised discuss; Most of the issues raised in my discuss and some of Sam's were resolved in the … [Ballot discuss] [This is a yet another revised discuss; Most of the issues raised in my discuss and some of Sam's were resolved in the -05 draft] The security considerations sections correctly states that it "does not create any new security issues", but the three techniques proposed by the document do have security issues. These should be mentioned. For TSIG, RFC 2845 already provides a reasonable description of the security considerations, so a pointer should suffice. For SIG(0), the Security Considerations of RFC 2931 and 2535 (which are included by reference) seem really thin - perhaps the authors could do better here. We should also acknowledge the limitations and vulnerabilities of IP address filtering. From Sam Hartman's discuss: Paul Hoffman brought up a last call comment on the ietf list; I believe this comment needs to be addressed. I support discussing this issue in the security considerations section. I don't think we can take a recommendation for or against using an open recursive name server for roaming users; I don't see sufficient discussion to support that either way. However the recommendation in section 4 is worded in such a way to allow organizations who have a need to do so to run open recursive name servers. I think that's fine and appropriate. Please add security considerations text to address Paul's issue without making a recommendation about whether the practice is advisable. Obviously factual discussion of the problems of that organizational choice are appropriate. Similarly, if you want to argue that my reading of whether there is a consensus to recommend against this practice exists I'll listen to your argument. >The Security Considerations section for this document is much too >narrow. It ignores one of the main reasons that many organizations >purposely choose to provide recursive lookup to the public, namely for >their own roaming users. Without an open, known-good nameserver at a >fixed address, roaming users need to trust whatever is given to them >by their ISP at the moment, and it is reasonable for organizations to >consider this too large of a risk. Unless the organization has a way >to tunnel DNS queries back to a non-recursive nameserver (such as >through IPsec), having a recursive nameserver available increases the >security of their roaming users. > >There are two major reasons for an organization to not want roaming >users to trust locally-assigned DNS servers. > >- An attacker might have compromised the DHCP server to which the user >conntect to point to a compromised DNS server. Although such an >attacker can also cause the DHCP server to point to a compromised >next-hop router, it is easier and less detectable for most attackers >to compromise a DNS server than a router. There are plenty of examples >where compromised DNS servers lead to spoofing and MITM attacks. > >- Some ISPs use DNS servers that purposely do not follow the same good >practices that the organization uses. In particular, some ISPs have >used bogus TLDs and name-lookup services to generate revenue. > >The Security Considerations section needs to deal with these issues, >even if they do not change the advice given in section 4. |
2008-03-11
|
06 | Tim Polk | [Ballot discuss] [This is a revised discuss; I am assuming Sam's issues in addition to my own as part of the AD transition.] I am … [Ballot discuss] [This is a revised discuss; I am assuming Sam's issues in addition to my own as part of the AD transition.] I am uncomfortable with the characterization of IP address filtering by the nameserver as "client authentication". I do not dispute the applicability of the mechanism, but we have enough experience with address spoofing to know that we haven't really authenticated the sending host. In addition, the document has some helpful words regarding the applicability of the second and third techniques (incoming interface based selection, and signed queries respectively) but does not describe when IP address filtering is appropriate. The document implies that, if widely deployed, ingress filtering would be a complete solution. I suspect that a variety of other avenues will always exist (exploiting misconfigured dual-homed systems, for instance) so the techniques listed in Section 4 to limit service to intended clients will always be needed. The security considerations sections correctly states that it "does not create any new security issues", but the three techniques proposed by the document do have security issues. These should be mentioned. For TSIG, RFC 2845 already provides a reasonable description of the security considerations, so a pointer should suffice. For SIG(0), the Security Considerations of RFC 2931 and 2535 (which are included by reference) seem really thin - prehaps the authors could do better here. We should also acknowledge the limitations and vulnerabilities of IP address filtering. From Sam Hartman's discuss: The description of the attack in section 3 is sufficiently hard to follow that I would have been unable to do so had it not been presented in detail at the IAB workshop on unwanted traffic. Start by using less abbreviations and acronyms and see if that makes it clear enough that it is easy to follow. Paul Hoffman brought up a last call comment on the ietf list; I believe this comment needs to be addressed. I support discussing this issue in the security considerations section. I don't think we can take a recommendation for or against using an open recursive name server for roaming users; I don't see sufficient discussion to support that either way. However the recommendation in section 4 is worded in such a way to allow organizations who have a need to do so to run open recursive name servers. I think that's fine and appropriate. Please add security considerations text to address Paul's issue without making a recommendation about whether the practice is advisable. Obviously factual discussion of the problems of that organizational choice are appropriate. Similarly, if you want to argue that my reading of whether there is a consensus to recommend against this practice exists I'll listen to your argument. >The Security Considerations section for this document is much too >narrow. It ignores one of the main reasons that many organizations >purposely choose to provide recursive lookup to the public, namely for >their own roaming users. Without an open, known-good nameserver at a >fixed address, roaming users need to trust whatever is given to them >by their ISP at the moment, and it is reasonable for organizations to >consider this too large of a risk. Unless the organization has a way >to tunnel DNS queries back to a non-recursive nameserver (such as >through IPsec), having a recursive nameserver available increases the >security of their roaming users. > >There are two major reasons for an organization to not want roaming >users to trust locally-assigned DNS servers. > >- An attacker might have compromised the DHCP server to which the user >conntect to point to a compromised DNS server. Although such an >attacker can also cause the DHCP server to point to a compromised >next-hop router, it is easier and less detectable for most attackers >to compromise a DNS server than a router. There are plenty of examples >where compromised DNS servers lead to spoofing and MITM attacks. > >- Some ISPs use DNS servers that purposely do not follow the same good >practices that the organization uses. In particular, some ISPs have >used bogus TLDs and name-lookup services to generate revenue. > >The Security Considerations section needs to deal with these issues, >even if they do not change the advice given in section 4. |
2008-03-06
|
06 | Cullen Jennings | [Ballot Position Update] Position for Cullen Jennings has been changed to Undefined from Discuss by Cullen Jennings |
2008-03-06
|
06 | Cullen Jennings | [Ballot comment] The advice in this draft seems to suggest that it not using ingress filtering is what is evil, not that reflectors are evil. … [Ballot comment] The advice in this draft seems to suggest that it not using ingress filtering is what is evil, not that reflectors are evil. But given the word evil does not seem like it will show up in the final RFC, I don't think this matters. I'm having a hard time finding the discussion leading to the consensus that this is the best design. Let me separate this into a bunch of points for that I would like to talk about, and once we have discussed them, I will remove them or turn them into an actionable discuss. As has been pointed out in some emails, it seems like a reasonable assumption there will be plenty of large DNS records on authoritative servers without the attacker needing to create them. If this is not the case that there will be records larger than X, then the simple solution seems to be to not allow records larger than X. Given this, I am very uncomfortable with the advice of turning off recursive name service for non authenticated clients. I am mostly uneasy with this because none of the schemes for authenticating a client look like they will meet a large percentage of the deployment use cases. Moving to the topic of using reflectors in dos attacks, in general I think we have seen three approaches to solving this: 1) block spoofed requests 2) return route checks, and 3) don't allow amplification. The advice of following BCP 38 is no doubt good advice but we have been recommending that for a very long time and have not made much progress. We could delve into why it is hard to do BCP 38 (even assuming all the equipment supports it) or why the people that need to deal with the pain of doing it do not have many incentives to actually do it but regardless of all that, I doubt that this document saying people should do BCP 38 will really up the rate of adoption of BCP 38 very much. That makes me wonder why this solution over other ones. This takes me on to return route checks. The trivial return route check would be use TCP and clearly there is experience with this and it does not work thought some percentage of firewalls. Now we could argue about if the firewalls were misconfigured or not but what about a very pragmatic approach of for large responses, trying a UDP based liveness check. I tried to find a record of discussion about this but could not. I'm curios to know if this ideas was considered and thrown out in favor of BCP 38. The final approach sounds very lame at first glance but would simply be to not allow large repossess that were say more than twice the size of the request and allow the client to pad out requests that the client knew would result in large responses. Again, I'm curios if any ideas were considered and discarded for BCP 38. Would some combination of any of these make sense? |
2007-12-03
|
06 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2007-12-03
|
05 | (System) | New version available: draft-ietf-dnsop-reflectors-are-evil-05.txt |
2007-10-05
|
06 | (System) | Removed from agenda for telechat - 2007-10-04 |
2007-10-04
|
06 | Amy Vezza | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Amy Vezza |
2007-10-04
|
06 | David Ward | [Ballot Position Update] New position, No Objection, has been recorded by David Ward |
2007-10-04
|
06 | Jon Peterson | [Ballot Position Update] New position, No Objection, has been recorded by Jon Peterson |
2007-10-04
|
06 | Jari Arkko | [Ballot Position Update] New position, No Objection, has been recorded by Jari Arkko |
2007-10-04
|
06 | Ross Callon | [Ballot Position Update] New position, No Objection, has been recorded by Ross Callon |
2007-10-04
|
06 | Lisa Dusseault | [Ballot Position Update] New position, No Objection, has been recorded by Lisa Dusseault |
2007-10-04
|
06 | Russ Housley | [Ballot comment] Other ADs have already entered Discuss positions that cover my concerns. I'm confident that resolution of those positions will resolve my … [Ballot comment] Other ADs have already entered Discuss positions that cover my concerns. I'm confident that resolution of those positions will resolve my concerns. |
2007-10-04
|
06 | Russ Housley | [Ballot Position Update] New position, No Objection, has been recorded by Russ Housley |
2007-10-04
|
06 | Mark Townsley | [Ballot Position Update] New position, No Objection, has been recorded by Mark Townsley |
2007-10-04
|
06 | Chris Newman | [Ballot comment] I support Tim's concern with terminology, and the gist of Paul Hoffman's last call comment. However, the key recommendation of this draft seems … [Ballot comment] I support Tim's concern with terminology, and the gist of Paul Hoffman's last call comment. However, the key recommendation of this draft seems important and appropriate. The acronym "SOHO" is used without being expanded on first use. |
2007-10-04
|
06 | Chris Newman | [Ballot Position Update] New position, No Objection, has been recorded by Chris Newman |
2007-10-03
|
06 | Cullen Jennings | [Ballot discuss] I'm having a hard time finding the discussion leading to the consensus that this is the best design. Let me separate this into … [Ballot discuss] I'm having a hard time finding the discussion leading to the consensus that this is the best design. Let me separate this into a bunch of points for that I would like to talk about, and once we have discussed them, I will remove them or turn them into an actionable discuss. As has been pointed out in some emails, it seems like a reasonable assumption there will be plenty of large DNS records on authoritative servers without the attacker needing to create them. If this is not the case that there will be records larger than X, then the simple solution seems to be to not allow records larger than X. Given this, I am very uncomfortable with the advice of turning off recursive name service for non authenticated clients. I am mostly uneasy with this because none of the schemes for authenticating a client look like they will meet a large percentage of the deployment use cases. Moving to the topic of using reflectors in dos attacks, in general I think we have seen three approaches to solving this: 1) block spoofed requests 2) return route checks, and 3) don't allow amplification. The advice of following BCP 38 is no doubt good advice but we have been recommending that for a very long time and have not made much progress. We could delve into why it is hard to do BCP 38 (even assuming all the equipment supports it) or why the people that need to deal with the pain of doing it do not have many incentives to actually do it but regardless of all that, I doubt that this document saying people should do BCP 38 will really up the rate of adoption of BCP 38 very much. That makes me wonder why this solution over other ones. This takes me on to return route checks. The trivial return route check would be use TCP and clearly there is experience with this and it does not work thought some percentage of firewalls. Now we could argue about if the firewalls were misconfigured or not but what about a very pragmatic approach of for large responses, trying a UDP based liveness check. I tried to find a record of discussion about this but could not. I'm curios to know if this ideas was considered and thrown out in favor of BCP 38. The final approach sounds very lame at first glance but would simply be to not allow large repossess that were say more than twice the size of the request and allow the client to pad out requests that the client knew would result in large responses. Again, I'm curios if any ideas were considered and discarded for BCP 38. Would some combination of any of these make sense? |
2007-10-03
|
06 | Cullen Jennings | [Ballot discuss] I'm having a hard time finding the discussion leading to the consensus that this is the best design. Let me separate this into … [Ballot discuss] I'm having a hard time finding the discussion leading to the consensus that this is the best design. Let me separate this into a bunch of points for that I would like to talk about, and once we have discussed them, I will remove them or turn them into an actionably discuss. As has been pointed out in some emails, it seems like a reasonable assumption there will be plenty of large DNS records on authoritative servers without the attacker needing to create them. If this is not the case that there will be records larger than X, then the simple solution seems to be to not allow records larger than X. Given this, I am very uncomfortable with the advice of turning off recursive name service for non authenticated clients. I am mostly uneasy with this because none of the schemes for authenticating a client look like they will meet a large percentage of the deployment use cases. Moving to the topic of using reflectors in dos attacks, in general I think we have seen three approaches to solving this: 1) block spoofed requests 2) return route checks, and 3) don't allow amplification. The advice of following BCP 38 is no doubt good advice but we have been recommending that for a very long time and have not made much progress. We could delve into why it is hard to do BCP 38 (even assuming all the equipment supports it) or why the people that need to deal with the pain of doing it do not have many incentives to actually do it but regardless of all that, I doubt that this document saying people should do BCP 38 will really up the rate of adoption of BCP 38 very much. That makes me wonder why this solution over other ones. This takes me on to return route checks. The trivial return route check would be use TCP and clearly there is experience with this and it does not work thought some percentage of firewalls. Now we could argue about if the firewalls were misconfigured or not but what about a very pragmatic approach of for large responses, trying a UDP based liveness check. I tried to find a record of discussion about this but could not. I'm curios to know if this ideas was considered and thrown out in favor of BCP 38. The final approach sounds very lame at first glance but would simply be to not allow large repossess that were say more than twice the size of the request and allow the client to pad out requests that the client knew would result in large responses. Again, I'm curios if any ideas were considered and discarded for BCP 38. Would some combination of any of these make sense? |
2007-10-03
|
06 | Cullen Jennings | [Ballot Position Update] New position, Discuss, has been recorded by Cullen Jennings |
2007-10-03
|
06 | Cullen Jennings | [Ballot comment] The advice in this draft seems to suggest that it not using ingress filtering is what is evil, not that reflectors are evil. … [Ballot comment] The advice in this draft seems to suggest that it not using ingress filtering is what is evil, not that reflectors are evil. But given the word evil does not seem like it will show up in the final RFC, I don't think this matters. |
2007-10-03
|
06 | Lars Eggert | [Ballot Position Update] New position, No Objection, has been recorded by Lars Eggert |
2007-10-03
|
06 | Magnus Westerlund | [Ballot Position Update] New position, No Objection, has been recorded by Magnus Westerlund |
2007-10-03
|
06 | Tim Polk | [Ballot discuss] I am uncomfortable with the characterization of IP address filtering by the nameserver as "client authentication". I do not dispute the applicability of … [Ballot discuss] I am uncomfortable with the characterization of IP address filtering by the nameserver as "client authentication". I do not dispute the applicability of the mechanism, but we have enough experience with address spoofing to know that we haven't really authenticated the sending host. In addition, the document has some helpful words regarding the applicability of the second and third techniques (incoming interface based selection, and signed queries respectively) but does not describe when IP address filtering is appropriate. The document implies that, if widely deployed, ingress filtering would be a complete solution. I suspect that a variety of other avenues will always exist (exploiting misconfigured dual-homed systems, for instance) so the techniques listed in Section 4 to limit service to intended clients will always be needed. The security considerations sections correctly states that it "does not create any new security issues", but the three techniques proposed by the document do have security issues. These should be mentioned. For TSIG, RFC 2845 already provides a reasonable description of the security considerations, so a pointer should suffice. For SIG(0), the Security Considerations of RFC 2931 and 2535 (which are included by reference) seem really thin - prehaps the authors could do better here. We should also acknowledge the limitations and vulnerabilities of IP address filtering. |
2007-10-03
|
06 | Tim Polk | [Ballot discuss] I am uncomfortable with the characterization of IP address filtering by the nameserver as "client authentication". I do not dispute the applicability of … [Ballot discuss] I am uncomfortable with the characterization of IP address filtering by the nameserver as "client authentication". I do not dispute the applicability of the mechanism, but we haver enough experience with address spoofing to know that we haven't really authenticated the sending host. In addition, the document has some helpful words regarding the applicability of the second and third techniques (incoming interface based selection, and signed queries respectively) but does not describe when IP address filtering is appropriate. The document implies that, if widely deployed, ingress filtering would be a complete solution. I suspect that a variety of other avenues will always exist (exploiting misconfigured dual-homed systems, for instance) so the techniques listed in Section 4 to limit service to intended clients will always be needed. The security considerations sections correctly states that it "does not create any new security issues", but the three techniques proposed by the document do have security issues. These should be mentioned. For TSIG, RFC 2845 already provides a reasonable description of the security considerations, so a pointer should suffice. For SIG(0), the Security Considerations of RFC 2931 and 2535 (which are included by reference) seem really thin - prehaps the authors could do better here. We should also acknowledge the limitations and vulnerabilities of IP address filtering. |
2007-10-03
|
06 | Tim Polk | [Ballot Position Update] New position, Discuss, has been recorded by Tim Polk |
2007-10-02
|
06 | Sam Hartman | [Ballot discuss] [This is a preliminary discuss; I reserve the right to add to it until the telechat on Thursday. I wanted to get this … [Ballot discuss] [This is a preliminary discuss; I reserve the right to add to it until the telechat on Thursday. I wanted to get this issue filed as a discuss so people could think about it.] The description of the attack in section 3 is sufficiently hard to follow that I would have been unable to do so had it not been presented in detail at the IAB workshop on unwanted traffic. Start by using less abbreviations and acronyms and see if that makes it clear enough that it is easy to follow. Paul Hoffman brought up a last call comment on the ietf list; I believe this comment needs to be addressed. I support discussing this issue in the security considerations section. I don't think we can take a recommendation for or against using an open recursive name server for roaming users; I don't see sufficient discussion to support that either way. However the recommendation in section 4 is worded in such a way to allow organizations who have a need to do so to run open recursive name servers. I think that's fine and appropriate. Please add security considerations text to address Paul's issue without making a recommendation about whether the practice is advisable. Obviously factual discussion of the problems of that organizational choice are appropriate. Similarly, if you want to argue that my reading of whether there is a consensus to recommend against this practice exists I'll listen to your argument. >The Security Considerations section for this document is much too >narrow. It ignores one of the main reasons that many organizations >purposely choose to provide recursive lookup to the public, namely for >their own roaming users. Without an open, known-good nameserver at a >fixed address, roaming users need to trust whatever is given to them >by their ISP at the moment, and it is reasonable for organizations to >consider this too large of a risk. Unless the organization has a way >to tunnel DNS queries back to a non-recursive nameserver (such as >through IPsec), having a recursive nameserver available increases the >security of their roaming users. > >There are two major reasons for an organization to not want roaming >users to trust locally-assigned DNS servers. > >- An attacker might have compromised the DHCP server to which the user >conntect to point to a compromised DNS server. Although such an >attacker can also cause the DHCP server to point to a compromised >next-hop router, it is easier and less detectable for most attackers >to compromise a DNS server than a router. There are plenty of examples >where compromised DNS servers lead to spoofing and MITM attacks. > >- Some ISPs use DNS servers that purposely do not follow the same good >practices that the organization uses. In particular, some ISPs have >used bogus TLDs and name-lookup services to generate revenue. > >The Security Considerations section needs to deal with these issues, >even if they do not change the advice given in section 4. |
2007-10-02
|
06 | Sam Hartman | [Ballot Position Update] New position, Discuss, has been recorded by Sam Hartman |
2007-09-27
|
06 | Ron Bonica | Placed on agenda for telechat - 2007-10-04 by Ron Bonica |
2007-09-27
|
06 | Ron Bonica | State Changes to IESG Evaluation from Waiting for Writeup by Ron Bonica |
2007-09-27
|
06 | Ron Bonica | [Ballot Position Update] New position, Yes, has been recorded for Ronald Bonica |
2007-09-27
|
06 | Ron Bonica | Ballot has been issued by Ron Bonica |
2007-09-27
|
06 | Ron Bonica | Created "Approve" ballot |
2007-09-27
|
06 | Samuel Weiler | Request for Last Call review by SECDIR Completed. Reviewer: Steve Hanna. |
2007-09-25
|
06 | (System) | State has been changed to Waiting for Writeup from In Last Call by system |
2007-09-13
|
06 | Amanda Baber | IANA Last Call comments: As described in the IANA Considerations section, we understand this document to have NO IANA Actions. |
2007-09-13
|
06 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Steve Hanna |
2007-09-13
|
06 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Steve Hanna |
2007-09-11
|
06 | Amy Vezza | Last call sent |
2007-09-11
|
06 | Amy Vezza | State Changes to In Last Call from Last Call Requested by Amy Vezza |
2007-09-11
|
06 | Ron Bonica | Last Call was requested by Ron Bonica |
2007-09-11
|
06 | Ron Bonica | State Changes to Last Call Requested from Publication Requested by Ron Bonica |
2007-09-11
|
06 | (System) | Ballot writeup text was added |
2007-09-11
|
06 | (System) | Last call text was added |
2007-09-11
|
06 | (System) | Ballot approval text was added |
2007-08-09
|
06 | Dinara Suleymanova | PROTO Write-up (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of the document and, in particular, … PROTO Write-up (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of the document and, in particular, does he or she believe this version is ready for forwarding to the IESG for publication? Peter Koch (==me) is the Document Shepherd for this document. I have read the latest version (-04) of the draft and believe it is ready for consideration by the IESG. (1.b) Has the document had adequate review both from key WG members and from key non-WG members? Does the Document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? The draft has undergone in-depth review in the DNSOP WG and has been brought to the attention of various other DNS operational fora. Reviews are available from the DNSOP archive in response to the WGLC There are no concerns about the depth or breadth of reviews. (1.c) Does the Document Shepherd have concerns that the document needs more review from a particular or broader perspective, e.g., security, operational complexity, someone familiar with AAA, internationalization, or XML? There are no such concerns. (1.d) Does the Document Shepherd have any specific concerns or issues with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. Has an IPR disclosure related to this document been filed? If so, please include a reference to the disclosure and summarize the WG discussion and conclusion on this issue. There are no IPR or similar issues with this document. (1.e) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? The WG had good consensus in favour of the document, its intended status and the recommendations it makes. Some WG members were uncomfortable with the focus being constrained to "recursive servers", leaving open the (ab)use of authoritative servers in similar or other attack scenarios. Given the state of the art separation of recursive and authoritative name servers and the particular problem that triggered writing of this document, the WG supports this going forward knowing that it does not address all potential amplification issues caused by large DNS responses. (1.f) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarize the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is entered into the ID Tracker.) The judgement made by the WG to address the specific attack scenario observed in early 2006 was not supported by all WG members (see separate note). (1.g) Has the Document Shepherd personally verified that the document satisfies all ID nits? (See http://www.ietf.org/ID-Checklist.html and http://tools.ietf.org/tools/idnits/.) Boilerplate checks are not enough; this check needs to be thorough. Has the document met all formal review criteria it needs to, such as the MIB Doctor, media type, and URI type reviews? If the document does not already indicate its intended status at the top of the first page, please indicate the intended status here. The draft has passed the ID nits test 2.04.12 at . This document is aimed at BCP status. (1.h) Has the document split its references into normative and informative? Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the strategy for their completion? Are there normative references that are downward references, as described in [RFC3967]? If so, list these downward references to support the Area Director in the Last Call procedure for them [RFC3967]. The references are split into normative/informative and there are no downrefs. (1.i) Has the Document Shepherd verified that the document's IANA Considerations section exists and is consistent with the body of the document? If the document specifies protocol extensions, are reservations requested in appropriate IANA registries? Are the IANA registries clearly identified? If the document creates a new registry, does it define the proposed initial contents of the registry and an allocation procedure for future registrations? Does it suggest a reasonable name for the new registry? See [RFC2434]. If the document describes an Expert Review process, has the Document Shepherd conferred with the Responsible Area Director so that the IESG can appoint the needed Expert during IESG Evaluation? The document does not require IANA action, which is what the IANA considerations section says. (1.j) Has the Document Shepherd verified that sections of the document that are written in a formal language, such as XML code, BNF rules, MIB definitions, etc., validate correctly in an automated checker? N/A (1.k) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary This document describes ways to prevent the use of recursive nameservers as reflectors in Denial of Service (DoS) attacks. It makes recommendations to both operators and vendors (for default configurations). Working Group Summary The document was started in reaction to the "DNS reflection attacks" widely published in early 2006. While the basic direction was clear from the beginning, it needed some discussion to agree upon a recommendation of the more sophisticated and less widely deployed querier authentication mechanisms (TSIG and SIG(0)). Document Quality After the February 2006 DNS amplification attacks, several surveys have discovered varying, but huge numbers of DNS resolvers on the Internet willing to respond to DNS queries of arbitrary origin. At least two vendors of DNS recursive servers (full resolvers) have announced to (or do already) follow the recommendations made in this document by adjusting their default ACLs. Personnel Peter Koch acted as the document shepherd. Ron Bonica reviewed this document for the IESG. |
2007-08-09
|
06 | Dinara Suleymanova | Draft Added by Dinara Suleymanova in state Publication Requested |
2007-07-25
|
04 | (System) | New version available: draft-ietf-dnsop-reflectors-are-evil-04.txt |
2007-02-14
|
03 | (System) | New version available: draft-ietf-dnsop-reflectors-are-evil-03.txt |
2006-09-19
|
02 | (System) | New version available: draft-ietf-dnsop-reflectors-are-evil-02.txt |
2006-06-28
|
01 | (System) | New version available: draft-ietf-dnsop-reflectors-are-evil-01.txt |
2006-05-17
|
00 | (System) | New version available: draft-ietf-dnsop-reflectors-are-evil-00.txt |