On 04/10/2017 12:04 PM, Peter van Dijk wrote:
Section 3 is currently written in such a way that a recursive DNS
lookup must be performed at the authoritative server side. I don't
think it is necessary to require that. A recursive DNS lookup of the
target is just one way to implement this.
What other ways did you have in mind?
Private arrangement with the target zone operator (that is, direct, out
of-band access to the zone).
In particular, the suggested recursive DNS lookup needs some form of
distributed loop detection. Otherwise, a malicious customer could
publish two zones with ANAME records and achieve significant traffic
amplification, potentially taking down the DNS hoster. A hop count in
an EDNS option or an “ANAME lookup in progress” indicator would be one
way to implement this. Another approach would impose restrictions on
the owner name of an ANAME record and its target, and restrict where
CNAMEs can appear, so that a valid ANAME can never point to another
valid ANAME.
I’m not sure it’s feasible to forbid chaining ANAMEs. I do agree there
is a vector for DoS here. Section 6 currently cowardly says “Both
authoritative servers and resolvers that implement ANAME should
carefully check for loops and treat them as an error condition.” but I
am aware that more words are needed.
I don't see how you can detect loops without DNS protocol changes. The
query that comes back will look like a completely fresh query.
Thanks,
Florian
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
