On 7 Apr 2022, at 18:50, John R. Levine wrote: > A friend of mine asserts that wildcard DNS records are a problem because > hostile clients can use them to fill up DNS caches with junk answers to > random queries that match a wildcard. But it seems to me that you can do it > just as well with random queries that match nothing and fill up the cache > with NXDOMAIN junk answers. Am I missing something here?
I don't think so, part from of course that the TTL of the cached data might be different depending on whether the query matches something or not. Patrik > If you add DNSSEC, with or without RFC 8198 response synthesis, the details > change but I don't think answer does, it's about the same either way. > > I can see attacks where you might use URLs with wildcard names to fill web > caches with junk pages (see https://www.web.sp.am/) but that's different. > > Regards, > John Levine, [email protected], Primary Perpetrator of "The Internet for > Dummies", > Please consider the environment before reading this e-mail. https://jl.ly > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
