* Alex Bligh:

> Could you amplify a bit on this one? I think what you are saying is
> that recursive servers which do not support DOMAIN.LOCAL.ARPA
> (and hence don't strip it out of any response to a recursive
> query) can be subject to poisoning attacks which will result in
> duff nameserver records being sent to clients that are aware
> of the protocol.

I was alluding to this:

; <<>> DiG 9.5.1-P3 <<>> @208.67.222.222 DOMAIN.LOCAL.ARPA
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44816
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;DOMAIN.LOCAL.ARPA.             IN      A

;; ANSWER SECTION:
DOMAIN.LOCAL.ARPA.      0       IN      A       67.215.65.132

;; Query time: 41 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Oct 20 13:12:32 2009
;; MSG SIZE  rcvd: 51

And 67.215.65.132 does not offer DNS service.

> I think that is indeed a security concern, and perhaps not
> one that can be brushed aside with the response "but such
> servers can have any DNS query made to them poisoned anyway".

ARPA will soon be signed, so I don't think this is much to worry
about.  If the powers that be finally agree to make NXDOMAIN/NODATA
synthesis the default in the upcoming minor DNSSEC revision, this will
also help to cut down the number of requests.

-- 
Florian Weimer                <fwei...@bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to