* Anyone can point a DNAME to empty.as112.arpa, not just subtrees of
rDNS. Is that a security issue?
I thought of it as a feature. AS112 is for everyone, not just IANA! :-)
Well, yes, but I'm trying to think of a bad guy who wants to hide part of
his malware factory with split horizon or something.
* I don't know what fraction of the Internet's DNS caches understand
DNAME and will synthezize responses from a cached DNAME. ...
I don't think I quite see what you're getting at, though. Could you
expand a little on the potential you see for increased traffic on
authority servers?
The study in the appendix checked whether DNAME would break stuff, but
unless I'm missing something, it didn't try to tell whether the client
caches used the DNAME or the synthesized CNAME. If it uses the DNAME,
subsequent traffic from that cache for other addresses in the redirected
subtree will go to empty.as112.arpa, more or less the same as it does now
with the NS redirection, and the redirecting server will see less traffic.
But for caches that don't understand DNAME, you'll get just as much
traffic at the redirecting server, and then an equal additional amount to
as112 via the synthesized CNAME to the empty.as112.arpa server.
Like I said, I don't know in practice what fraction of the world's DNS
goes through caches that understand DNAME and what fraction doesn't.
It's more complex than just counting the caches, since some caches like
Google's 8.8.8.8 (which I'm fairly sure does DNAME properly) handle orders
of magnitude more than little caches on small private networks.
* (the half question) Since DNAME only redirects names below the DNAME
and not the name itself, something a lot of people don't seem to
understand very well,* should the document offer any advice about what
else you might want to put at the name with the DNAME?
That's an interesting point. For the reverse tree uses of AS112 we don't
care, since the redirection point is never a well-formed QNAME in the
reverse/1034 sense. What advice do you think is pertinent?
If you redirect something that's not the middle of an rDNS name, remember
that the name itself will not be redirected, so if you expect a lot of
queries for the name at the redirection point, it won't help.
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
