Hi Tony, on Monday, 30. Dezember 2019, 20:10:57 CET Tony Finch wrote: > It's very difficult to make the DNS properly case-preserving, because a > parent zone and a child zone can disagree with each other about the case > of the parent zone. dnsext-dns0x20-00 doesn't have anything to do with zones. If it's completely implemented each query has a different camel case. All caching an all comparisons are still done lowercase according to RFC4343.
e.g. with fully implemented dnsext-dns0x20-00 Client application on client1 comes wish to resolve the IPv4 Adress of www.iment.com. client1 asks resolver1 for Www.IMent.coM IN A The Autoritative NS RRs of com are already cached, to shorten this a bit. ;-) resolver1 asks Autoritative of the com-Zone for ImenT.Com or wWw.ImenT.Com resolver1 gets ImenT.com IN NS ns-b.ImenT.Com and ns-a.ImenT.Com back. resolver1 writes both RRs in lowercase to it's cache. resolver1 asks ns-b.iment.com for wwW.imEnT.cOM IN A It gets wwW.imEnT.cOM IN A 216.55.100.245 back It writes it in lowercase to its cache (www.iment.com) client1 gets Www.IMent.coM IN A 216.55.100.245 back from resolver1 In the client application this is handled as answer for www.iment.com. There are probably some authoriatatives that don't implement RFC4343 correctly. In this case you will get the case from the zone back and resolver1 will wait for a better answer if the spoofing protection isn't provided via other mechanisms (DNS cookies or DNSSEC). And there are some more or less common authoritatives that implement RFC4343 by answering always in lowercase until dnsext-dns0x20-00 was implemented. If a resolver dosn't implement dnsext-dns0x20-00, implementing dnsext- dns0x20-00 in the client application doesn't have any security effect, since many of the client applications will ask in lowercase. And even if they wouldn't the security effect by is gone if the attacker can do queries and choose the case the resolver queries. Some resolvers not implementing dnsext- dns0x20-00 will also converted queries to lowercase when forwarded to the authoritative. If the answer on a dnsext-dns0x20-00 query is done in lowercase and spoofing protection is not provided via other mechanisms there will be also a delay. We're talking about Resolving here. Not about AXFR (between autoritiatives) and not about DNS UPDATE specified by RFC2136 (to dynamically update information on authoritatives). dnsext-dns0x20-00 can't be used for securing DNS UPDATE, since the sensitive information goes in the opposite direction there. Kind regards Lars -- Lars Kollstedt Telefon: +49 6151 16-71027 E-Mail: l...@man-da.de man-da.de GmbH Dolivostraße 11 64293 Darmstadt Sitz der Gesellschaft: Darmstadt Amtsgericht Darmstadt, HRB 9484 Geschäftsführer: Andreas Ebert _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users