back to article Is DNSSEC causing more problems than it solves?

The complex security protocol for the domain name system – DNSSEC – has another black mark against it: it is being used as a way to carry out distributed denial-of-service (DDoS) attacks. That's according to a security bulletin [PDF] by Akamai that notes it has "observed and successfully mitigated a large number of DNS …

  1. Ole Juul


    What do you mean I shouldn't use that phone book? Seriously, most people don't even know there is any lookup involved and happily accept whatever they get. Yes, we do need more education.

    1. Charles 9

      Re: education

      But the problem with education is that there will always be that segment that isn't willing to learn. What do you do with the rejects, especially in this situation where the effects of having rejects is amplified?

  2. JeffyPoooh

    Specifications, the long road to perfection...

    A specification is only perfect when it's infinitely long, but then it's too long.

    1. Charles 9

      Re: Specifications, the long road to perfection...

      If it's too long, then it's not perfect because it's not the perfect length. If you're claiming that no spec of finite length can be perfect, then you're claiming NO spec can be perfect.

  3. Tom Samplonius

    "DNSSEC uses larger-than-normal DNS responses as a way of adding extra security"

    The author may not understand logic (affirming the consequent). DNSSEC responses are signed, and a signed response is larger than an unsigned response. The signature is what adds the security, not the fact that the responses are bigger.

  4. Decade

    Yes, The Register’s writer needs an education

    Kieren McCarthy is so behind on the technology. For many years, Daniel J. Bernstein has been calling DNSSEC “the worst DDOS amplifier on the Internet” for precisely this reason.

    And 2 years ago, Paul Vixie presented a general solution: Response Rate Limiting. The technology exists to fix this problem. It just needs to be deployed.

    Really, I expect this cluelessness from the MSM. It’s sad to see it in The Register.

    1. Daniel B.

      Re: Yes, The Register’s writer needs an education

      The Microsoft Monopoly has no bearing on the DNSSEC specs. What are you talking about?

  5. David Roberts

    Net neutrality?

    The apparent mitigation is to throttle traffic from any one source or to any one source to prevent overload.

    Just had the passing thought that this might trip over net neutrality rules; you should be able to distinguish at the technical level between video streaming and DNS traffic but has this been considered at the legal level?

  6. Anonymous Coward
    Anonymous Coward

    Yawn... Apple > Reg at security

    So, a standard attack using DNS, with the addition of DNSSEC means let's disable DNS cryptography?

    Never thought that Apple would be doing more to promote crypto more than a tech site. Do you realize how easy it is to spoof DNS results if there is no crypto? That's how they "take sites off the Internet" in certain places.

    Sure you should use TLS for security instead (if you think you can trust all those Certificate Authorities - ahem). Sane people will still want to use both DNSSEC and TLS. Defense-in-depth.

  7. Anonymous Coward
    Anonymous Coward

    This isn't really a DNSSEC issue is it

    It's plain old amplification. Sure what's being amplified is bigger in the first instance but DDoS miscreants never seemed to have too much difficulty getting amplification of a small(er) payload to have a big effect, or to find plain DNS requests with large responses. You can hardly level the accusation at DNSSEC just because signed responses are inherently larger - the same accusation stands for any DNS response more than the 'average' number of records/types that is used as part of an amplification attack.

  8. Arthur the cat Silver badge

    Mandatory bogon filtering

    and in case of violation cut off their goolies(*) connection.

    (*) This may not be understood by anybody too young or un-UK enough to have seen Not the Nine O'clock News.

  9. SImon Hobson Bronze badge

    Have an upvote for the NTNOCN reference

    Yes, I agree, some basic filtering wouldn't go amiss, and for parts of the internet that won't - well cut them off. The only reason these amplification attacks work is because the ****s can spoof source addresses.

    I realise it's not as trivially easy as "drop packets with a source address that doesn't route out that way" due to asymmetric routing - but at the ISP level there shouldn't be much of a problem with "it's not one of our blocks, drop it" filtering.

    As a DNS server operator, apart from having filtered the address blocks I service, I'm thinking that imposing an artificially low packet size threshold before switching to TCP would also mitigate the problem since large responses would get converted into small "please use TCP" responses. A bit more load, but having seen what DDoS attacks can do to my DNS servers I'd rather have that than be part of the problem. I've already implemented response rate limiting.

  10. Tom 13

    Solution seems simple to me

    If your DNSSEC domain is broadcasting badly formed packets, you lose your DNSSEC record.

    Icon because yes, some people do think I'm a neanderthal, but it gets results for me.

  11. mikeg504

    Looks like a DoS problem that can be fixed by rate limiting the software... the DNSSEC protocol is and has great intensions if it gets adopted on a wider scale. We shall see...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like