rfc3833.txt

bind 9.3结合mysql数据库

4.1.  Interactions With Other Protocols

   The above discussion has concentrated exclusively on attacks within
   the boundaries of the DNS protocol itself, since those are (some of)
   the problems against which DNSSEC was intended to protect.  There
   are, however, other potential problems at the boundaries where DNS
   interacts with other protocols.

4.2.  Securing DNS Dynamic Update

   DNS dynamic update opens a number of potential problems when combined
   with DNSSEC.  Dynamic update of a non-secure zone can use TSIG to
   authenticate the updating client to the server.  While TSIG does not
   scale very well (it requires manual configuration of shared keys



Atkins & Austein             Informational                     [Page 11]

RFC 3833                  DNS Threat Analysis                August 2004


   between the DNS name server and each TSIG client), it works well in a
   limited or closed environment such as a DHCP server updating a local
   DNS name server.

   Major issues arise when trying to use dynamic update on a secure
   zone.  TSIG can similarly be used in a limited fashion to
   authenticate the client to the server, but TSIG only protects DNS
   transactions, not the actual data, and the TSIG is not inserted into
   the DNS zone, so resolvers cannot use the TSIG as a way of verifying
   the changes to the zone.  This means that either:

   a) The updating client must have access to a zone-signing key in
      order to sign the update before sending it to the server, or

   b) The DNS name server must have access to an online zone-signing key
      in order to sign the update.

   In either case, a zone-signing key must be available to create signed
   RRsets to place in the updated zone.  The fact that this key must be
   online (or at least available) is a potential security risk.

   Dynamic update also requires an update to the SERIAL field of the
   zone's SOA RR.  In theory, this could also be handled via either of
   the above options, but in practice (a) would almost certainly be
   extremely fragile, so (b) is the only workable mechanism.

   There are other threats in terms of describing the policy of who can
   make what changes to which RRsets in the zone.  The current access
   control scheme in Secure Dynamic Update is fairly limited.  There is
   no way to give fine-grained access to updating DNS zone information
   to multiple entities, each of whom may require different kinds of
   access.  For example, Alice may need to be able to add new nodes to
   the zone or change existing nodes, but not remove them; Bob may need
   to be able to remove zones but not add them; Carol may need to be
   able to add, remove, or modify nodes, but only A records.

   Scaling properties of the key management problem here are a
   particular concern that needs more study.

4.3.  Securing DNS Zone Replication

   As discussed in previous sections, DNSSEC per se attempts to provide
   data integrity and data origin authentication services on top of the
   normal DNS query protocol.  Using the terminology discussed in
   [RFC3552], DNSSEC provides "object security" for the normal DNS query
   protocol.  For purposes of replicating entire DNS zones, however,
   DNSSEC does not provide object security, because zones include
   unsigned NS RRs and glue at delegation points.  Use of TSIG to



Atkins & Austein             Informational                     [Page 12]

RFC 3833                  DNS Threat Analysis                August 2004


   protect zone transfer (AXFR or IXFR) operations provides "channel
   security", but still does not provide object security for complete
   zones. The trust relationships involved in zone transfer are still
   very much a hop-by-hop matter of name server operators trusting other
   name server operators rather than an end-to-end matter of name server
   operators trusting zone administrators.

   Zone object security was not an explicit design goal of DNSSEC, so
   failure to provide this service should not be a surprise.
   Nevertheless, there are some zone replication scenarios for which
   this would be a very useful additional service, so this seems like a
   useful area for future work.  In theory it should not be difficult to
   add zone object security as a backwards compatible enhancement to the
   existing DNSSEC model, but the DNSEXT WG has not yet discussed either
   the desirability of or the requirements for such an enhancement.

5.  Conclusion

   Based on the above analysis, the DNSSEC extensions do appear to solve
   a set of problems that do need to be solved, and are worth deploying.

Security Considerations

   This entire document is about security considerations of the DNS.
   The authors believe that deploying DNSSEC will help to address some,
   but not all, of the known threats to the DNS.

Acknowledgments

   This note is based both on previous published works by others and on
   a number of discussions both public and private over a period of many
   years, but particular thanks go to

   Jaap Akkerhuis,
   Steve Bellovin,
   Dan Bernstein,
   Randy Bush,
   Steve Crocker,
   Olafur Gudmundsson,
   Russ Housley,
   Rip Loomis,
   Allison Mankin,
   Paul Mockapetris,
   Thomas Narten
   Mans Nilsson,
   Pekka Savola,
   Paul Vixie,
   Xunhua Wang,



Atkins & Austein             Informational                     [Page 13]

RFC 3833                  DNS Threat Analysis                August 2004


   and any other members of the DNS, DNSSEC, DNSIND, and DNSEXT working
   groups whose names and contributions the authors have forgotten, none
   of whom are responsible for what the authors did with their ideas.

   As with any work of this nature, the authors of this note acknowledge
   that we are standing on the toes of those who have gone before us.
   Readers interested in this subject may also wish to read
   [Bellovin95], [Schuba93], and [Vixie95].

Normative References

   [RFC1034]    Mockapetris, P., "Domain names - concepts and
                facilities", STD 13, RFC 1034, November 1987.

   [RFC1035]    Mockapetris, P., "Domain names - implementation and
                specification", STD 13, RFC 1035, November 1987.

   [RFC1123]    Braden, R., "Requirements for Internet Hosts -
                Application and Support", STD 3, RFC 1123, October 1989.

   [RFC2181]    Elz, R. and R. Bush, "Clarifications to the DNS
                Specification", RFC 2181, July 1997.

   [RFC2308]    Andrews, M., "Negative Caching of DNS Queries (DNS
                NCACHE)", RFC 2308, March 1998.

   [RFC2671]    Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
                2671, August 1999.

   [RFC2845]    Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
                Wellington, "Secret Key Transaction Authentication for
                DNS (TSIG)", RFC 2845, May 2000.

   [RFC2930]    Eastlake 3rd, D., "Secret Key Establishment for DNS
                (TKEY RR)", RFC 2930, September 2000.

   [RFC3007]    Wellington, B., "Secure Domain Name System (DNS) Dynamic
                Update", RFC 3007, November 2000.

   [RFC2535]    Eastlake 3rd, D., "Domain Name System Security
                Extensions", RFC 2535, March 1999.










Atkins & Austein             Informational                     [Page 14]

RFC 3833                  DNS Threat Analysis                August 2004


Informative References

   [RFC3552]    Rescorla, E. and B. Korver, "Guidelines for Writing RFC
                Text on Security Considerations", BCP 72, RFC 3552, July
                2003.

   [Bellovin95] Bellovin, S., "Using the Domain Name System for System
                Break-Ins", Proceedings of the Fifth Usenix Unix
                Security Symposium, June 1995.

   [Galvin93]   Design team meeting summary message posted to dns-
                security@tis.com mailing list by Jim Galvin on 19
                November 1993.

   [Schuba93]   Schuba, C., "Addressing Weaknesses in the Domain Name
                System Protocol", Master's thesis, Purdue University
                Department of Computer Sciences,  August 1993.

   [Vixie95]    Vixie, P, "DNS and BIND Security Issues", Proceedings of
                the Fifth Usenix Unix Security Symposium, June 1995.

Authors' Addresses

   Derek Atkins
   IHTFP Consulting, Inc.
   6 Farragut Ave
   Somerville, MA  02144
   USA

   EMail: derek@ihtfp.com


   Rob Austein
   Internet Systems Consortium
   950 Charter Street
   Redwood City, CA 94063
   USA

   EMail: sra@isc.org












Atkins & Austein             Informational                     [Page 15]

RFC 3833                  DNS Threat Analysis                August 2004


Full Copyright Statement

   Copyright (C) The Internet Society (2004).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at ietf-
   ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.









Atkins & Austein             Informational                     [Page 16]