On 12 Nov 2015, at 0:15, Stephane Bortzmeyer wrote:
On Wed, Nov 11, 2015 at 01:15:37AM +0000,
Wessels, Duane <[email protected]> wrote
a message of 107 lines which said:
This updates RFC 2308 (Negative Caching of DNS Queries).
Good point, I'll add that. Also, I did not dare to add "Updates: RFC
1034". Should I?
Yes.
I think the WG needs to discuss and agree whether or not to make the
NXDOMAIN cut based on QNAME only, or on the SOA owner name.
This is discussed (shortly) in section 5 of the draft. Apparently, it
can be risky to rely on the SOA. More discussion welcome.
...and is needed.
If the goal is to thwart random qname attacks, then it would be
better to use the SOA
Sure, if you don't have access to the resolver (if you do, you can
"poison" it with a request QNAME=apex-of-the-attack).
Implementing NXDOMAIN cut should also reduce the effectiveness of a
Kaminsky attack since the attack relies on the cache to forward
numerous non-existent names.
Right.
I think its a little dangerous to say that an NXDOMAIN response
SHOULD cause a cache to delete already cached "positive" data.
Could you elaborate why is it dangerous? (See also the second
paragraph of section 7.)
If the NXDOMAIN response is not signed, it allows an attacker to block
resolution of a name that was good, yes?
--Paul Hoffman
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
