Andreas;
> > > How? No-one is suggesting that these records be put in the cache.
> >
> > I have been suggesting that these records be put in a referral-local
> > cache content of which is not used for usual A query nor glue A of
> > other referral points.
>
> I think that's an excellent approach, and one that should be seriously
> considered when designing new resolver implementations. BIND 8 and 9
> have the concept of a single, global cache too deeply ingrained to be
> changed at this point.
As I have been suggesting it long before BIND 8 or9, I have no
intention to check them specifically by myself.
But, if they are implemented rationally, the modification would be:
Add a field of referral point for a cache entry structure.
Referral point would be null pointer unless it is cached from
additional A for NS. Otherwise the referral point for the NS
would be stored.
Cache entries are matched considering the referral point, unless
the answer is used for additional A for NS. Additonal A for NS
may use cache entry with null referral point
As all the referral points of a zone share the same glue
information, zone may be used instead of referral point.
I estimate the modification is a lot easier than several generations of
misdirected attempts to obtain the true weak security.
Masataka Ohta
