Re: namedroppers, continued

On Tue, 03 Dec 2002 08:21:22 PST, you said:

Stop blustering, you clearly did not know the difference between
a CRL and OCSP and certainly have no real world experience of
operating PKI on which to base your broad assertions.


I said "total process".  The process failure described in the CERT
advisory didn't care if it was a CRL, OCSP, a X.509 certificate, or
a piece of paper scotch-taped to one end of a tin-cans-and-string link
that says "Don't use unless your name is Fred".

I admit I don't do any PKI per se.  What I *do* have is over 2 decades
of making a good living at cleaning up the mess when people misconfigure
things.  So I'm reading RFC2560 and see this in section 5:

    A denial of service vulnerability is evident with respect to a flood
   of queries. The production of a cryptographic signature significantly
   affects response generation cycle time, thereby exacerbating the
   situation. Unsigned error responses open up the protocol to another
   denial of service attack, where the attacker sends false error
   responses.

and I combine that with the research out of CAIDA I cited earlier that showed
98% of DNS queries to a root nameserver being broken, and my experience
tells me that This Is A Train Wreck Waiting To Happen.

The only mitigating factor here is that section 2.5 allows the precomputing
of a response and associated signature.

You appear to be confusing CRLs with OCSP. Try reading the OCSP
spec, I wrote the original section on caching responses.


Hmm... I've checked RFC2560, and didn't find anything significant about caching
other than "beware HTTP proxies with broken caching" (or did you mean the
precomputation of responses in section 2.5)?  Also, is there a spec for a DNS
RR to supplement the serviceLocator extension of 2560 section 4.4.6?  That
would also help to minimize and distribute the load (as the OCSP RR could be
lumped in with the other DNS RR's for DNSSEC processing - handing back the OCSP
info in an "additional info" field then saves you another resource hit when an
OCSP query gets made.
-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

pgp7DLpeE1tLO.pgp
Description: PGP signature

<Prev in Thread]	Current Thread	[Next in Thread>
RE: namedroppers, continued, Hallam-Baker, Phillip Re: namedroppers, continued, Aaron Swartz Re: namedroppers, continued, Valdis . Kletnieks RE: namedroppers, continued, Hallam-Baker, Phillip Re: namedroppers, continued, Valdis . Kletnieks RE: namedroppers, continued, Hallam-Baker, Phillip Re: namedroppers, continued, Valdis . Kletnieks Re: namedroppers, continued, Valdis . Kletnieks RE: namedroppers, continued, Hallam-Baker, Phillip Re: namedroppers, continued, Valdis . Kletnieks <= RE: namedroppers, continued, Hallam-Baker, Phillip RE: namedroppers, continued, Dean Anderson Re: namedroppers, continued, Randy Bush RE: namedroppers, continued, Fred Baker RE: namedroppers, continued, Marc Schneiders RE: namedroppers, continued, Vernon Schryver RE: namedroppers, continued, william RE: namedroppers, continued, John C Klensin RE: namedroppers, continued, william RE: namedroppers, continued, Joe Baptista