Masataka Ohta writes:
> Glue or an additional A of an NS should be cached, though, for
> security purpose, the cache content may be used only as glue.
That is not what RFC 1034 says. It is, however, similar to the RFC 1034
algorithm in that it fails to stop the attack. See the Poison section of
http://cr.yp.to/djbdns/notes.html.
> An implementation may expire a cached NS RR when its glue expires,
That isn't the RFC 1034 algorithm either. If you're going to claim that
the IETF specifications are right and that all of us cache implementors
are wrong, perhaps you should start by reading the specifications.
> First of all, it should be noted that you are not anymore arguing
> aginst the fact that A6 is as good as NS.
On the contrary. http://cr.yp.to/djbdns/killa6.html explicitly covers
both situations together, and then explains why A6 and DNAME are worse:
DNS reliability problems
Out-of-bailiwick pointers destroy DNS lookups in three ways:
* Every out-of-bailiwick pointer means more queries and more
opportunities for delay: packets are lost and have to be resent.
The chance of finding an answer before client timeout decreases
exponentially with the number of out-of-bailiwick pointers.
* Caches have to limit the number of queries and the amount of
memory that they dedicate to a single lookup. When these limits
are exceeded, lookups fail.
* As illustrated by the AOL suicide example, every
out-of-bailiwick pointer is another opportunity to create a
loop. When a loop appears, lookups fail.
These problems are not new. Lookups occasionally fail because system
administrators have used too many out-of-bailiwick NS records, for
example. (I tell my users to select in-bailiwick server names. My
software automatically uses a.ns.fqdn, b.ns.fqdn, etc. as the default
server names for fqdn. I also tell my users to avoid CNAME records.)
What is new with A6 and DNAME is that out-of-bailiwick pointers are
_encouraged_. System administrators are _encouraged_ to set up giant
A6 chains and giant DNAME chains reflecting their corporate
structures and network structures. The result will be a tremendous
increase in the frequency of DNS lookup failures.
I refuse to implement A6 and DNAME. I cannot bring myself to inflict
such a rickety system on future Internet users. As of February 2001,
nobody is relying on A6 or DNAME; I recommend that the A6 and DNAME
proposals be terminated.
http://cr.yp.to/djbdns/notes.html and http://cr.yp.to/djbdns/killa6.html
provide all the background you need to understand these points.
---Dan
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
