[dns-operations] Reporting glue as authoritive data -- Bug!
mlarson at verisign.com
Thu Jan 31 18:43:27 UTC 2008
On Thu, 31 Jan 2008, Paul Vixie wrote:
> "hybrid answer" is a term i'm choking on since i think these answers are
> obviously and indefensibly wrong.
No, please read back a bit in this thread. Reasonable people can, and
have, disagreed on this issue. My original comment stands: it's not
cut and dried, and repeating that is does not make it true.
> one of the many evils they let loose is for someone to set up a
> nameserver www.childporn.com, refer to it from one or more other
> domains, and get free dns service from the .COM servers for their
> illicit activities, using a domain name which can't be tracked or
> tapped by law enforcement, and which can't be shut off due to
> ICANN's policies. if no "hybrid" answers were forthcoming, then
> this trick would not work. note that the implications from dnssec
> on clarifying who owns what and who can answer for what are more
> compelling in my opinion, but, there is also some evil that's let
> loose by answering queries for NS RRs and A RRs that should properly
> be referred instead.
Your scenario is impossible with the current business rules of the
.com/.net registry and has been for years.
Let's say you wanted to get free resolution for a web server, so you
want something like this for an end state:
vix.com. NS ns.lah1.vix.com.
vix.com. NS ns.sjc1.vix.com.
vix.com. NS ns.sql1.vix.com.
vix.com. NS ns-ext.isc.org.
vix.com. NS www.paul-wants-this-for-free.com.
(Obviously with an A RR for "www.paul-wants-this-for-free.com"
resolvable by the .com servers.)
The necessary preconditions are:
1. The "paul-wants-this-for-free.com" domain must be registered, just
like any other .com domain.
2. Only the registrar that owns "paul-wants-this-for-free.com" can add
a "www.paul-wants-this-for-free.com" name server to the .com
registry and you'll have to convince them to do so. This depends
on a particular registrar's policies, but if "vix.com" and
"paul-wants-this-for-free.com" are owned by different registrars,
So the situation you suggest--that one can get free resolution for
illicit .com/.net domains in an untraceable manner--is not possible.
More information about the dns-operations