North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Great Suggestion for the DNS problem...?

  • From: Colin Alston
  • Date: Mon Jul 28 16:20:57 2008
On 2008/07/28 09:52 PM Jay R. Ashworth wrote:
On Mon, Jul 28, 2008 at 12:35:30PM -0700, Tomas L. Byrnes wrote:
As you pointed out, the protocol, if properly implemented, addresses
this. 

There should always be Glue (A records for the NS) in a delegation. RFC
1034 even specifies this:

4.2.2 <snip>
As the last installation step, the delegation NS RRs and glue RRs
necessary to make the delegation effective should be added to the parent
zone.  The administrators of both zones should insure that the NS and
glue RRs which mark both sides of the cut are consistent and remain so.
</snip>

A probably important distinction:

That's not the protocol, that's the specified implementation framework
of the protocol.  In general, DNS still works if you screw that up,
which is why it's so often screwed up.

Yes it should work. In fact, why *don't* implementations discard authoritative responses from non-authoritative hosts? Or do we? Or am I horribly wrong?

There's an argument that IP spoofing can easily derail this, but I'd shift that argument higher up the OSI, blame TCP, and move on to recommending SYN cookies. Even if forged though, if the forged IP returns NS authority glue that doesn't match the source, the lookup still fails.

DNSSEC kinda does this verification though, just more complicatedly and more reliant on administrative cooperation, and I've never met a DNS person who is cooperative ;)

My suggestion though was more of replacing
NS -> A -> IP
with
NS -> IP

That is just a brain fart though.

My 0.00264050803375 cents (at current exchange rates).