A friend of mine asserts that wildcard DNS records are a problem because
hostile clients can use them to fill up DNS caches with junk answers to
random queries that match a wildcard. But it seems to me that you can do
it just as well with random queries that match nothing and fill up the
cache with NXDOMAIN junk answers. Am I missing something here?
If you add DNSSEC, with or without RFC 8198 response synthesis, the
details change but I don't think answer does, it's about the same either
way.
I can see attacks where you might use URLs with wildcard names to fill web
caches with junk pages (see https://www.web.sp.am/) but that's different.
Regards,
John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
