On Mon, Dec 15, 2003 at 12:19:19PM -0800, Doug Barton wrote: > Mark Foster wrote: > > >OK. However this approach ignores the real-world observations that lame > >delegations produce an inordinate load on the parent name servers, > >apparently due to broken resolver implementation(s). > > > >I have seen this happen a number of times. The resulting query loop > >has comprised up to 80% of the parent server query traffic. > > There is a serious problem with one very popular vendor's resolving name > server implementation wherein if _all_ the name servers in the parent's > delegation are lame, it will enter a loop. If even one of the name > servers in the delegation respond, the loop is broken. > > Doug >
Sorry for the long delay in getting back about this. Can you elaborate on this apparent deficiency in the DNS infrastructure? Is the vendor Microsoft? It seems that if a ccTLD chooses to accept registrations from the general public, but chooses to not enforce authoritative name servers before publishing the delegation, they are opening themselves up for a denial of service attack. If the ccTLD name servers are taken out, the ccTLD goes dark. So if these ccTLDs are not built to scale to the attack, they are at risk. Could this happen, and if so how can the risk be mitigated? -- Some days it's just not worth chewing through the restraints... Mark Foster <[EMAIL PROTECTED]> http://mark.foster.cc/
pgp00000.pgp
Description: PGP signature
