Great Suggestion for the DNS problem...?

Colin Alston karnaugh at karnaugh.za.net
Mon Jul 28 19:19:39 UTC 2008


On 2008/07/28 09:05 PM Jay R. Ashworth wrote:
> Is there any reason which I'm too far down the food chain to see why
> that's not a fantastic idea?  Or at least, something inspired by it?

If NS records pointed to IP's instead of names then this problem might 
not exist.
The root holds glue going up the chain, and you could reject 
authoritative responses from IP's not listed as authoritative NS for 
that zone.

Ie for karnaugh.za.net, net is looked up from root. Root IP addresses 
are queried directly, so you know to ignore responses coming from 
someone else. That gives you net (the same gtld, how convenient) and 
authoritative IP response for its NS. So you look up za.net and get 
correct glue and so on.

Actually, if glue were always served up the resolution chain then then 
only crummy glueless delegations would be vulnerable.

Anyone feel like redesigning the DNS protocol? Anyone? No? :(




More information about the NANOG mailing list