On 02/09/12 09:56, Matus UHLAR - fantomas wrote:
> Questions:
> (1) It looks to me like if the ghost name is in our
> DNS RPZ zone, then that 'fixes' the problem for
> that name. Is this correct?
Ghost domain could be redelegated to a new owner and become absolutely
legal.
On 09.02.12 07:36, John Hascall wrote:
Caveat Emptor -- if you buy a former TDSS (or someother evil) domain,
that's just too bad.
unfortunately, RPZ or DNSSEC - solving this problem depends on while
world using them, so with this flaw in DNS protocol we're screwed
still. When you buy a domain, just check if it's blacklisted anywhere
if you want to avoid this
> (2) It also looks like restarting bind flushes the cache
> and that prevents the repopulation of the local cache
> with names which are ghosts (new different ghost names
> could, of course, be created). Is this correct?
AFAIK 'rndc flush' will do the same.
Thanks - we're doing a nightly restart for other reasons.
what?
This is just my opinion, but this is not a bug. It's the side effect of
a desirable feature called caching.
Yea, we can brainstorm how to mitigate the effect, but in order to
mitigate a problem, we have to know that there is a problem(revoked or
bad domain).
1) How would we(as dns server operators) know when a domain name is
revoked? (Gee sounds like what the US government wants to do and it
seems the community does not like that idea and I agree it's a bad idea
to put the US DHS in charge of that list.)
2) Restart or flush our DNS cache frequently? Let's assume the A record
TTL is 24 hrs. And if we decide to flush the cache once a day? That
leaves a whole bunch of time that we are open to this and not much
remaining time for the record in cache. I fail to see the benefit
here. The idea to flush just the 'bad' domain fails due to #1, IMHO.
3) Maybe I don't understand DNS cache and it's relationship with DNSSEC
yet. But if my server caches a good answer (verified via DNSSEC), why
would my server recheck the DNSSEC records until the TTL has elapsed?
My thinking(and I could be quite wrong here) is that my server will
cache a good verified answer and DNSSEC does not seem to help here.
Please let me know where I am wrong here if I am.
Lyle Giese
LCR Computer Services, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
