The DNS needs operational profile documents. Documents that set societal norms
for the global public Internet while still allowing the protocol to be overly
flexible ("my network, my rules" world).
On 3/12/24, 04:19, "DNSOP on behalf of Kazunori Fujiwara"
<dnsop-boun...@ietf.org on behalf of fujiw...@jprs.co.jp> wrote:
With DNS, there are several things to consider, such as the number and
number of times that can complicate name resolution or cause DoS.
For example, number of CNAME chains or number of chains of "unrelated"
name server names are not limited. (Each implementations limit.)
"KeyTrap" also seems to be caused by the configuration of a large
number of DNSKEY RRs and RRSIG RRs in one domain name.
For example,
- Number of CNAME chains
- Number of "unrelated" name server name resolutions (hard to write)
- Number of NS RRs in each delegation
- Number of RRs in one RRSet.
- Number of RRSIG RRs in one RRSet
- Number of DNSKEY RRs in one domain name
DNSOP WG limitted NSEC3 Parameters in RFC 9276,
beyond which DNSSEC validation was not required.
Then, we can generate new recommendations that limit numbers and
if it exceeds that limits,
it might be a name resolution error or no validation.
Rather than writing a draft for each limitation,
I think it would be better to compile them all into one draft.
--
Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp>
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/dnsop__;!!PtGJab4!668p516xLDGGnGTMw7gMQ6_DZg8_EMynquifrz9egdugWq24bSnRbqPLCUr4sRoXfhXzeCSYRZy1AC3MEjdEDenkcH0$
[ietf[.]org]
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
