It is the caching of non-asked-for data, be it Auth, Additional, CNAME chains,
etc, which enables race-until-win attacks like the Kaminski attack.
Thus a resolver MUST NEVER cache data that wasn't specifically asked for if it
can't DNSSEC validate this information. It can use the additional data
received to indicate that it SHOULD ask for the information, but it shouldn't
ever cache it in a general context.
Or, if it does cache it, it should validate that the entry would be valid by
performing an independent lookup, a'la Unbound and replace the information with
the new version.
This makes no sense. Assuming you ignore records for which the server
isn't authoritative (which we all do since Kashpureff), why wouldn't you
use the records in the additional section?
Or to put it another way, if you're worried that the authoritative
additional records are fake, why aren't the authoritative answer records
equally fake? Same server, same authority.
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
"I dropped the toothpaste", said Tom, crestfallenly.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
