Great Suggestion for the DNS problem...?

Tomas L. Byrnes tomb at byrneit.net
Mon Jul 28 14:35:30 CDT 2008


As you pointed out, the protocol, if properly implemented, addresses
this. 

There should always be Glue (A records for the NS) in a delegation. RFC
1034 even specifies this:

4.2.2 <snip>
As the last installation step, the delegation NS RRs and glue RRs
necessary to make the delegation effective should be added to the parent
zone.  The administrators of both zones should insure that the NS and
glue RRs which mark both sides of the cut are consistent and remain so.
</snip>



> -----Original Message-----
> From: Colin Alston [mailto:karnaugh at karnaugh.za.net] 
> Sent: Monday, July 28, 2008 12:20 PM
> To: Jay R. Ashworth
> Cc: nanog at nanog.org
> Subject: Re: Great Suggestion for the DNS problem...?
> 
> On 2008/07/28 09:05 PM Jay R. Ashworth wrote:
> > Is there any reason which I'm too far down the food chain 
> to see why 
> > that's not a fantastic idea?  Or at least, something inspired by it?
> 
> If NS records pointed to IP's instead of names then this 
> problem might not exist.
> The root holds glue going up the chain, and you could reject 
> authoritative responses from IP's not listed as authoritative 
> NS for that zone.
> 
> Ie for karnaugh.za.net, net is looked up from root. Root IP 
> addresses are queried directly, so you know to ignore 
> responses coming from someone else. That gives you net (the 
> same gtld, how convenient) and authoritative IP response for 
> its NS. So you look up za.net and get correct glue and so on.
> 
> Actually, if glue were always served up the resolution chain 
> then then only crummy glueless delegations would be vulnerable.
> 
> Anyone feel like redesigning the DNS protocol? Anyone? No? :(
> 
> 




More information about the NANOG mailing list