On Sat, Apr 14, 2018 at 01:13:30AM +0800, Mukund Sivaraman wrote:
> On Fri, Apr 13, 2018 at 04:31:35PM +0000, Evan Hunt wrote:
> > I could have sworn there was an RFC published several years ago concerning
> > the prevention of cache poisoning, which specified that resolvers had to
> > ignore out of zone CNAMEs and re-query, but I can't find it now. Poor
> > google skills, or did I dream the whole thing?
> RFC 2181

That was a "should", not a MUST. I thought I remembered something that
upgraded it to MUST, but I can't find it now.

It's possible I was thinking of RFC 5452 (which I now see was authored by
the person whose question I was answering -- *this* is how you suck eggs,
grandma).  It says, "Care must be taken to only accept data if it is known
that the originator is authoritative for the QNAME or a parent of the
QNAME.  One very simple way to achieve this is to only accept data if it is
part of the domain for which the query was intended." This is less
strongly-worded than what I remembered, but at least it does strongly hint
that returning out-of-zone CNAMEs is likely to be a waste of effort.

When we do the 1034 bis I'd like to see this made more explicit.

Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.

DNSOP mailing list

Reply via email to