[dns-operations] DNS trust dependencies for TLDs

Matthew Dempsky matthew at dempsky.org
Mon Jun 15 00:16:00 UTC 2009

On Sun, Jun 14, 2009 at 4:48 PM, Mark Andrews<marka at isc.org> wrote:
>        What DoS attacks?  TLD's changing from delegation only to
>        having in zone data is not a DoS attack, it is a design
>        feature.

Suppose a BIND cache is configured with .so as a delegation-only zone
(e.g., according to https://www.isc.org/node/355).  My understanding
of the delegation-only setting is that if an attacker sends an
explicit A query for a.nic.so to this BIND cache, it will first ask
the root servers, receive a delegation to the .so servers; then it
will try to ask a .so server, but because .so is delegation-only, BIND
will discard the response and instead cache it as NXDOMAIN.  The
attacker can then repeat this for {b,c,d,e}.nic.so, so BIND will no
longer know any .so name server addresses, and so future queries
within the .so zone will fail.

Do I misunderstand?

More information about the dns-operations mailing list