Ralph-san, > The DNS forwarders term didn’t appear in an RFC before 7719, so I guess > there is no such description.
As described in RFC 8499, "forwarder" was first appeared and defined in RFC 2308, but it describes "a nameserver used to resolve queries instead of directly using the authoritative nameserver chain".. Anyway, I agree that no such description for the behavior of DNS forwarders. -- Orange From: "Ralf Weber" <[email protected]> Subject: Re: [dns-operations] dnspooq Date: Thu, 21 Jan 2021 14:15:16 +0100 > Moin! > > On 21 Jan 2021, at 13:48, Yasuhiro Orange Morishita / 森下泰宏 wrote: >> I know that section 6 of RFC 5452 describes 'in-domain checking' >> for full-service resolvers, but I can't find any RFCs describing the >> same checking for DNS forwarders... > The DNS forwarders term didn’t appear in an RFC before 7719, so I guess > there is no such description. > >> Moreover, the whitepaper describes this as follows: >> >> "We acknowledge that this is not a vulnerability per se, and >> moreover is reasonable behavior, though it magnifies the attack and >> similar types of attacks." >> >> Isn't it really a vulnerability? > I agree for a real DNS forwarder (aka proper resolver acting as a > forwarder), but for a DNS proxy there really is no other option then > to give the packet back to the client (stub resolver) and let it deal > with it. > > So long > -Ralf > ――- > Ralf Weber >
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
