Great Suggestion for the DNS problem...?

Colin Alston karnaugh at karnaugh.za.net
Mon Jul 28 15:20:34 CDT 2008


On 2008/07/28 09:52 PM Jay R. Ashworth wrote:
> On Mon, Jul 28, 2008 at 12:35:30PM -0700, Tomas L. Byrnes wrote:
>> As you pointed out, the protocol, if properly implemented, addresses
>> this. 
>>
>> There should always be Glue (A records for the NS) in a delegation. RFC
>> 1034 even specifies this:
>>
>> 4.2.2 <snip>
>> As the last installation step, the delegation NS RRs and glue RRs
>> necessary to make the delegation effective should be added to the parent
>> zone.  The administrators of both zones should insure that the NS and
>> glue RRs which mark both sides of the cut are consistent and remain so.
>> </snip>
> 
> A probably important distinction:
> 
> That's not the protocol, that's the specified implementation framework
> of the protocol.  In general, DNS still works if you screw that up,
> which is why it's so often screwed up.

Yes it should work. In fact, why *don't* implementations discard 
authoritative responses from non-authoritative hosts? Or do we? Or am 
I horribly wrong?

There's an argument that IP spoofing can easily derail this, but I'd 
shift that argument higher up the OSI, blame TCP, and move on to 
recommending SYN cookies. Even if forged though, if the forged IP 
returns NS authority glue that doesn't match the source, the lookup 
still fails.

DNSSEC kinda does this verification though, just more complicatedly 
and more reliant on administrative cooperation, and I've never met a 
DNS person who is cooperative ;)

My suggestion though was more of replacing
NS -> A -> IP
with
NS -> IP

That is just a brain fart though.

My 0.00264050803375 cents (at current exchange rates).




More information about the NANOG mailing list