[dns-operations] Concerns regarding the ICANN/IANA DNS vulnerability checker

Mohsen Souissi mohsen.souissi at nic.fr
Tue Aug 19 10:30:26 UTC 2008 

Florian,

 On 08 Aug, Florian Weimer wrote:
[...]
 | 
 | The whole test is bogus anyway because publicly available recursive
 | service is neither necessary nor sufficient for the presence of cache
 | poisoning potential.  For instance, it reports FR as "safe", even
 | though A.NIC.FR apparently serves the glue for A.NIC.FR from cache.
          ^^^^^^^^                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 | (Note that I don't want to pick on AFNIC here; this is very common
 | among zone operators.)  The example only shows that the ICANN testing
 | methodology is deeply flawed: There are both false positives and false
 | negatives.

==> I want to reassure you, I don't feel "picked on" at all :-)

Actually, I'm not writing because I work for AFNIC but just as a
member of this list.

Your remark is quite interesting.

a.nic.fr does indeed serve a.nic.fr addresses from its cache in
additional section when queried for fr NS's.

I've run a short test for a handful of TLDs and I find the same
behavior. I'm not picking on other TLDs :-) 

This is just an operational question we could (should?) have a debate
on and I'm trying to bring some illustation.

For example:

 - "dig @[fz].nic.de de ns"
 - "dig @ca0[1-6].cira.ca ca ns"
 - "dig @[a-m].gtld-servers.net net ns"

all have the same behavior as a.nic.fr (if I'm not wrong) as they are
not authoritative for the child zone in which sits the NS. The list of
examples may be quite long I guess, that's not the point.


On the other hand, a.nic.de *does not* have the same behavior than
f.nic.de and z.nic.de.

[bd].ext.nic.fr (fr secondary servers operated by ISC) and others do
not have the same behavior as a.nic.fr

This proves that other TLD servers behave in another way.

So my understanding is that serving A/AAAA in the additional section
could help optimize the iterative queries down to the authoritative
servers, and that's why it seems to be a widely spread configuration choice.


I have seen no reaction on this list related to this matter and I'm
curious to learn what people here think.

Is that considered a bad idea?

Please justify whether the answer is YES or NO.


If the answer is "YES", may/should/must that behavior be
disabled/stopped by simply configuring the server not to answer from
cache, by setting for example "allow-query-cache { none; };" a la BIND
9.4/9.5+ ?


I would be happy to get explanation on this matter.

Thanks in advance,

Mohsen.

More information about the dns-operations mailing list