On 02/09/12 09:56, Matus UHLAR - fantomas wrote:
> Questions:
> (1) It looks to me like if the ghost name is in our
>    DNS RPZ zone, then that 'fixes' the problem for
>    that name.   Is this correct?

Ghost domain could be redelegated to a new owner and become absolutely
legal.

On 09.02.12 07:36, John Hascall wrote:
  Caveat Emptor -- if you buy a former TDSS (or someother evil) domain,
  that's just too bad.

unfortunately, RPZ or DNSSEC - solving this problem depends on while world using them, so with this flaw in DNS protocol we're screwed still. When you buy a domain, just check if it's blacklisted anywhere if you want to avoid this

> (2) It also looks like restarting bind flushes the cache
>    and that prevents the repopulation of the local cache
>    with names which are ghosts (new different ghost names
>    could, of course, be created).    Is this correct?

AFAIK 'rndc flush' will do the same.

Thanks - we're doing a nightly restart for other reasons.

what?
This is just my opinion, but this is not a bug. It's the side effect of a desirable feature called caching.

Yea, we can brainstorm how to mitigate the effect, but in order to mitigate a problem, we have to know that there is a problem(revoked or bad domain).

1) How would we(as dns server operators) know when a domain name is revoked? (Gee sounds like what the US government wants to do and it seems the community does not like that idea and I agree it's a bad idea to put the US DHS in charge of that list.)

2) Restart or flush our DNS cache frequently? Let's assume the A record TTL is 24 hrs. And if we decide to flush the cache once a day? That leaves a whole bunch of time that we are open to this and not much remaining time for the record in cache. I fail to see the benefit here. The idea to flush just the 'bad' domain fails due to #1, IMHO.

3) Maybe I don't understand DNS cache and it's relationship with DNSSEC yet. But if my server caches a good answer (verified via DNSSEC), why would my server recheck the DNSSEC records until the TTL has elapsed? My thinking(and I could be quite wrong here) is that my server will cache a good verified answer and DNSSEC does not seem to help here. Please let me know where I am wrong here if I am.

Lyle Giese
LCR Computer Services, Inc.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to