--On 21 October 2009 09:55:06 +0000 Florian Weimer <fwei...@bfk.de> wrote:
Ah. I think I now understand what you mean. Well yes they can do that,
but they could do it anyway.
There's an additional twist: If I have got a client device (not DNS
proxy) which supports the proposed protocol, it will not work when I
connect it to a network which uses a resolver that performs this type
of spoofing, unless the spoofing resolver has specific support for
this protocol.
It's not "someone could do evil things and make it break", but
"someone already does (perhaps evil) things, and it breaks".
Right, so if a spoofing resolver which does NXDOMAIN redirection but does
not support this protocol (and hence returns bogus A records for
domain.local.arpa along with everything else) receives a query from a
client stack which supports the protocol, it could confuse the client stack
by returning A records which don't support DNS query (e.g. a "sitefinder
site").
That's easily remedied, and would be a good addition to the protocol. The
first thing the client does is send a query to the candidate new nameserver
(possibly with "Christmas tree" options, e.g. DO set and so forth), and
check the reply looks sensible. If not, it doesn't use it. That way it
doesn't use any server that makes things worse. The query could be an NS
query for ".", but perhaps better a fixed records in .ARPA that does exist
& is signed.
--
Alex Bligh
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
