On Wed, 28 Jul 2021, Shumon Huque wrote:
Sibling glue was already covered in RFC 1034 (even though there was no term
for it). ...
Sure, but we've been cleaning up the ambiguities and errors in 1034 for 30
years. A straightforward reading of that paragraph also gives you the
Kaminsky attack.
The simplest way to defend agaist cache poisoning is to accept only
in-bailiwick glue which you can do with a string comparison. If you're
going to accept sibling glue, now you have to look up the tree and see if
both names have the same parent. That's not all that hard, but it's a big
step up in implementation complexity from the string comparison.
How about this?
foo.test NS abc.def.bar.test
abc.def.bar.test A 10.11.12.13
but there's a zone cut at def.bar.test. Is a nephew* still a sibling?
What if that zone cut is in the PSL? I have no idea and I don't think I
want to find out.
"MUST" in RFC-ese means you have to do something in order to interoperate.
I think we all agree that the DNS will operate fine without sibling glue,
other than NS loops which I personally don't care about. That makes it at
most a MAY, and I agree with Geoff's reasons to take it out completely.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
* - I don't know of an English word that means niece-or-nephew
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
