[dns-operations] DNS trust dependencies for TLDs
Matthew Dempsky
matthew at dempsky.org
Mon Jun 15 00:16:00 UTC 2009
On Sun, Jun 14, 2009 at 4:48 PM, Mark Andrews<marka at isc.org> wrote:
> What DoS attacks? TLD's changing from delegation only to
> having in zone data is not a DoS attack, it is a design
> feature.
Suppose a BIND cache is configured with .so as a delegation-only zone
(e.g., according to https://www.isc.org/node/355). My understanding
of the delegation-only setting is that if an attacker sends an
explicit A query for a.nic.so to this BIND cache, it will first ask
the root servers, receive a delegation to the .so servers; then it
will try to ask a .so server, but because .so is delegation-only, BIND
will discard the response and instead cache it as NXDOMAIN. The
attacker can then repeat this for {b,c,d,e}.nic.so, so BIND will no
longer know any .so name server addresses, and so future queries
within the .so zone will fail.
Do I misunderstand?
More information about the dns-operations
mailing list