On Wed, Feb 25, 2015 at 09:14:53AM +0000, Ray Bellis <ray.bel...@nominet.org.uk> wrote a message of 30 lines which said:
> However in the child-centric case this can cause problems when the > NS set held by the parent changes (i.e. the zone is redelegated) but > the NS set in the old set of servers isn't also updated. Such a > child-centric resolver may completely fail to notice the > redelegation. Yes, this is the "phantom domains" attack. Let me amend the suggested definition: Child-centric resolver: a DNS resolver which will replace, in its memory, the NS RRset and glue records obtained from the parent, by data from the authoritative servers of the zone they belong to. This is the proper behaviour (but note that a resolver MUST re-check from the parent at some interval, to avoid "phantom domains"). And this is the opportunity to define phantom domains: Phantom domain: a domain which was delegated but is no more, and is still "active" in some resolvers because they did not check the parent yet. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
