At 11:34 +0000 2/19/07, Jim Reid wrote:
Right. But it depends on what's meant by "extra measures". IMO it's more than
reasonable to have a default that says "don't do reverse lookups of 1918
addresses on the Internet". This would be a Very Good Thing. If this was in
place, the extra measures would then be for someone using 1918 addressing to
switch off that default and properly configure their server for the local
network.
I disagree about the "Very Good Thing."
If I am using RFC 1918 space locally I will use those addresses in my
local forward DNS and have a local reverse DNS. My remote-facing DNS
will not have those addresses and hence not have any reverse zones.
Part of the problem is that the DNS server doesn't know if it is
doing "reverse lookups of 1918 addresses on the Internet" or if it is
doing reverse lookups of 1918 addresses on the company Intranet.
Perhaps this should apply to reverse lookups on other "special" address
ranges such as link-local 169.254/16 too?
I'd say no.
The addresses are special to the routing layer, not the DNS layer.
This is another round of "let's screw the DNS protocol because of
problems elsewhere" - just like last spring when we tried to do
something about the first amplication attacks that became reflection
attacks that then led to a least one task force to get the BCP on
routing to be followed.
Sorry folks if I'm being dense or just ornery about fooling with
Mother Nature here. If you start bending the DNS protocol to route
around damage in other parts of the network architecture, you'll be
weakening one more element.
Another desirable default resolver configuration would be to refuse
recursive queries from non-local addresses.
How? What's local? What's not local? Do you want to see the name
server be required to also speak the local routing protocols to
determine what's inside and what's outside?
Remember that the more you stuff into the configuration files, the
more you are going to cost the operators that have to manage the
configurations. Unlike zone data, DNS doesn't not have a standard
management protocol.
So, back before my rant.
First let's talk about whether it is a problem to have RFC 1918 space
exposed as an address for a nameserver. Second, let's talk about the
severity, and is there some real threat to others if someone does
this. Third, then let's talk about placing safeguards up.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
"Two years ago you said we had 5-7 years, now you are saying 3-5. What I
need from you is a consistent story..."
_______________________________________________
DNSOP mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dnsop
