On 04/27/2017 11:31 AM, Mark Andrews wrote:
If you want to advocate for changes to behaviour that is fine, but advocate for that. Just saying "shouldn't the rcode be NOERROR" isn't doing that. Then there is DNSSEC. If the target zone is signed and DO=1 is set in the query should you include the data from the target zone?
Do you suggest to use data which is impossible to use under the trust rules because it is cryptographically signed?
This would mean that many DNSSEC validation bugs turn into critical cache poisoning bugs because they can be used by off-path attackers to poison caches. (Usually, a single query for an attacker-controlled name would be enough, and it could likely be a PTR query.) I'm not sure if saving a server round-trip is worth it. In particular since the recursive resolver already has the infrastructure records for the target in cache if it can do cryptographic validation, it should know exactly where to fetch the target record anyway.
In general, cryptography as the single line of defense is a very, very bad idea because it almost never works correctly.
Thanks, Florian _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop