[Nfd-dev] LINK spec discussion

Yingdi Yu yingdi at CS.UCLA.EDU
Sun Sep 14 15:49:37 PDT 2014 

On Sep 14, 2014, at 3:38 PM, Wentao Shang <wentaoshang at gmail.com> wrote:

> On Sun, Sep 14, 2014 at 3:11 PM, Yingdi Yu <yingdi at cs.ucla.edu> wrote:
> 
> On Sep 12, 2014, at 9:53 PM, Junxiao Shi <shijunxiao at email.arizona.edu> wrote:
> 
>> Adding delegation to the mix could prevent an attack in IP DNS.
>> In IP DNS, if the owner of a large website points his A record to a smaller website, the large amount of traffic would cause denial of service in the smaller website, although doing so would make the large website itself inaccessible. (This happened once on BAIDU, a top search engine in China; an attacker hijacked BAIDU's Nameserver and pointed A record to a small server).
> 
> This attack may happen because DNSSEC is not enable. NDNS records are signed, and resolvers are required to validate that, so the worst case is that no one can do DNS resolution for Baidu, but the small web site should be fine.
> 
> A high-level comment without getting into DNS/DNSSEC details:
> 
> a link object "A -> B" involves two parties, i.e., A and B. Unless A and B are actually the same party, you need to have two signatures, one from A and one from B, to indicate that both parties have agreed on this link relationship. A single signature (as in the LINK redirect object) is not enough to prevent such attacks as the one mentioned by Junxiao.

In the attack above, a single signature is enough. The attacker can redirect the traffic because it returns a wrong DNS A record for Baidu, and dns resolvers simply accept the response. 

If dns resolver can validate the signature of the DNS A record (signed by Baidu's key), then they will tell that the returned A record is wrong, and they will not send anything to the IP address in the returned DNS A record. The whole process does not require any signature from the small website side.

Yingdi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20140914/2158a85b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20140914/2158a85b/attachment.bin>

More information about the Nfd-dev mailing list