Great Suggestion for the DNS problem...?
Colin Alston
karnaugh at karnaugh.za.net
Mon Jul 28 20:20:34 UTC 2008
On 2008/07/28 09:52 PM Jay R. Ashworth wrote:
> On Mon, Jul 28, 2008 at 12:35:30PM -0700, Tomas L. Byrnes wrote:
>> As you pointed out, the protocol, if properly implemented, addresses
>> this.
>>
>> There should always be Glue (A records for the NS) in a delegation. RFC
>> 1034 even specifies this:
>>
>> 4.2.2 <snip>
>> As the last installation step, the delegation NS RRs and glue RRs
>> necessary to make the delegation effective should be added to the parent
>> zone. The administrators of both zones should insure that the NS and
>> glue RRs which mark both sides of the cut are consistent and remain so.
>> </snip>
>
> A probably important distinction:
>
> That's not the protocol, that's the specified implementation framework
> of the protocol. In general, DNS still works if you screw that up,
> which is why it's so often screwed up.
Yes it should work. In fact, why *don't* implementations discard
authoritative responses from non-authoritative hosts? Or do we? Or am
I horribly wrong?
There's an argument that IP spoofing can easily derail this, but I'd
shift that argument higher up the OSI, blame TCP, and move on to
recommending SYN cookies. Even if forged though, if the forged IP
returns NS authority glue that doesn't match the source, the lookup
still fails.
DNSSEC kinda does this verification though, just more complicatedly
and more reliant on administrative cooperation, and I've never met a
DNS person who is cooperative ;)
My suggestion though was more of replacing
NS -> A -> IP
with
NS -> IP
That is just a brain fart though.
My 0.00264050803375 cents (at current exchange rates).
More information about the NANOG
mailing list