Great Suggestion for the DNS problem...?
Colin Alston
karnaugh at karnaugh.za.net
Mon Jul 28 19:19:39 UTC 2008
On 2008/07/28 09:05 PM Jay R. Ashworth wrote:
> Is there any reason which I'm too far down the food chain to see why
> that's not a fantastic idea? Or at least, something inspired by it?
If NS records pointed to IP's instead of names then this problem might
not exist.
The root holds glue going up the chain, and you could reject
authoritative responses from IP's not listed as authoritative NS for
that zone.
Ie for karnaugh.za.net, net is looked up from root. Root IP addresses
are queried directly, so you know to ignore responses coming from
someone else. That gives you net (the same gtld, how convenient) and
authoritative IP response for its NS. So you look up za.net and get
correct glue and so on.
Actually, if glue were always served up the resolution chain then then
only crummy glueless delegations would be vulnerable.
Anyone feel like redesigning the DNS protocol? Anyone? No? :(
More information about the NANOG
mailing list