[dns-operations] Reporting glue as authoritive data -- Bug!

Matt Larson mlarson at verisign.com
Thu Jan 31 18:43:27 UTC 2008 

On Thu, 31 Jan 2008, Paul Vixie wrote:
> "hybrid answer" is a term i'm choking on since i think these answers are
> obviously and indefensibly wrong.

No, please read back a bit in this thread.  Reasonable people can, and
have, disagreed on this issue.  My original comment stands: it's not
cut and dried, and repeating that is does not make it true.

> one of the many evils they let loose is for someone to set up a
> nameserver www.childporn.com, refer to it from one or more other
> domains, and get free dns service from the .COM servers for their
> illicit activities, using a domain name which can't be tracked or
> tapped by law enforcement, and which can't be shut off due to
> ICANN's policies.  if no "hybrid" answers were forthcoming, then
> this trick would not work.  note that the implications from dnssec
> on clarifying who owns what and who can answer for what are more
> compelling in my opinion, but, there is also some evil that's let
> loose by answering queries for NS RRs and A RRs that should properly
> be referred instead.

Your scenario is impossible with the current business rules of the
.com/.net registry and has been for years.

Let's say you wanted to get free resolution for a web server, so you
want something like this for an end state:

  vix.com.      NS      ns.lah1.vix.com.
  vix.com.      NS      ns.sjc1.vix.com.
  vix.com.      NS      ns.sql1.vix.com.
  vix.com.      NS      ns-ext.isc.org.
  vix.com.      NS      www.paul-wants-this-for-free.com.

(Obviously with an A RR for "www.paul-wants-this-for-free.com"
resolvable by the .com servers.)

The necessary preconditions are:

1. The "paul-wants-this-for-free.com" domain must be registered, just
   like any other .com domain.

2. Only the registrar that owns "paul-wants-this-for-free.com" can add
   a "www.paul-wants-this-for-free.com" name server to the .com
   registry and you'll have to convince them to do so.  This depends
   on a particular registrar's policies, but if "vix.com" and
   "paul-wants-this-for-free.com" are owned by different registrars,
   forget it.

So the situation you suggest--that one can get free resolution for
illicit .com/.net domains in an untraceable manner--is not possible.

Matt

More information about the dns-operations mailing list