Mukund Sivaraman wrote: > On Tue, Dec 09, 2014 at 01:17:03PM -0500, Robert Edmonds wrote: > > BTW, there's also RFC 4697 / BCP 123 which appears to have two contradictory > > recommendations: > > > > 2.3. Inability to Follow Multiple Levels of Indirection > > > > [...] > > > > 2.3.1. Recommendation > > > > Clearly constructing a delegation that relies on multiple levels of > > indirection is not a good administrative practice. However, the > > practice is widespread enough to require that iterative resolvers be > > able to cope with it. Iterative resolvers SHOULD be able to handle > > arbitrary levels of indirection resulting from out-of-zone name > > servers. Iterative resolvers SHOULD implement a level-of-effort > > counter to avoid loops or otherwise performing too much work in > > resolving pathological cases. > > > > [...] > > > > You can support an unbounded (sorry) amount of indirection, or a bounded > > amount of indirection, but not both. > > By "arbitrary", I understand that it should be configurable (according > to its dictionary definition). It doesn't mean that the number of levels > of indirection is not bounded. Hence, the level-of-effort counter too.
That is not my impression from reading the whole section in context. "Arbitrary levels of indirection resulting from out-of-zone name servers", seems to refer to the levels of arbitrariness selected by the "out-of-zone name servers", not an arbitrary limit imposed by the iterative resolver. Anyway, the ANSSI report has now been released: http://www.ssi.gouv.fr/en/the-anssi/events/vulnerabilty-disclosure-the-infinitely-delegating-name-servers-idns-attack.html -- Robert Edmonds _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
