On 4/9/19 3:38 PM, Richard Gibson wrote:
> This loop is one reason of several to eliminate inline resolution for
> ANAME if possible and minimize it otherwise, but is not quite as bad
> as it seems because all involved servers can—and should—avoid issuing
> queries that are redundant with an already-active request. But even if
> they don't, the early queries eventually time out and rate limiting
> eventually detects and caps the runaway load.
>
> In other words, this misconfiguration does not create any new
> vulnerabilities, and existing mechanisms are already sufficient to
> handle it (although the document should explicitly mention them to
> avoid subjecting new implementers to unnecessarily painful lessons).

I can't even see a simple way of detecting this.  At least in the
implementation suggested by Jan where you have an authoritative that
calls out to a resolver (which calls out to authoritatives...) - it
would need some magic that somehow links one query of the cycle to the
other but regular DNS queries do not currently carry such information
AFAIK.  Am I missing some obvious approach?

--Vladimir (Knot Resolver)

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to