* Alex Bligh: > Could you amplify a bit on this one? I think what you are saying is > that recursive servers which do not support DOMAIN.LOCAL.ARPA > (and hence don't strip it out of any response to a recursive > query) can be subject to poisoning attacks which will result in > duff nameserver records being sent to clients that are aware > of the protocol.
I was alluding to this: ; <<>> DiG 9.5.1-P3 <<>> @208.67.222.222 DOMAIN.LOCAL.ARPA ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44816 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;DOMAIN.LOCAL.ARPA. IN A ;; ANSWER SECTION: DOMAIN.LOCAL.ARPA. 0 IN A 67.215.65.132 ;; Query time: 41 msec ;; SERVER: 208.67.222.222#53(208.67.222.222) ;; WHEN: Tue Oct 20 13:12:32 2009 ;; MSG SIZE rcvd: 51 And 67.215.65.132 does not offer DNS service. > I think that is indeed a security concern, and perhaps not > one that can be brushed aside with the response "but such > servers can have any DNS query made to them poisoned anyway". ARPA will soon be signed, so I don't think this is much to worry about. If the powers that be finally agree to make NXDOMAIN/NODATA synthesis the default in the upcoming minor DNSSEC revision, this will also help to cut down the number of requests. -- Florian Weimer <fwei...@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop