[dns-operations] DNS trust dependencies for TLDs
Mark Andrews
marka at isc.org
Mon Jun 15 03:42:57 UTC 2009
In message <d791b8790906141716w14e74fe3wc1cf3904cf348492 at mail.gmail.com>, Matthew Dempsky writes:
> On Sun, Jun 14, 2009 at 4:48 PM, Mark Andrews<marka at isc.org> wrote:
> > =A0 =A0 =A0 =A0What DoS attacks? =A0TLD's changing from delegation only t=
> o
> > =A0 =A0 =A0 =A0having in zone data is not a DoS attack, it is a design
> > =A0 =A0 =A0 =A0feature.
>
> Suppose a BIND cache is configured with .so as a delegation-only zone
> (e.g., according to https://www.isc.org/node/355). My understanding
> of the delegation-only setting is that if an attacker sends an
> explicit A query for a.nic.so to this BIND cache, it will first ask
> the root servers, receive a delegation to the .so servers; then it
> will try to ask a .so server, but because .so is delegation-only, BIND
> will discard the response and instead cache it as NXDOMAIN. The
> attacker can then repeat this for {b,c,d,e}.nic.so, so BIND will no
> longer know any .so name server addresses, and so future queries
> within the .so zone will fail.
>
> Do I misunderstand?
If you turn delegation-only on and the zone is not a
delegation-only zone then some lookups will be translated.
If the translated answer happens to be for a address of a
nameserver then lookups will break. This is what is expected
to happen.
delegation-only comes with warnings saying not to apply it
to non-delegation-only zones. SO is not a delegation-only
zone so you shouldn't turn it on for SO.
delegation-only is a cocked loaded gun and should be used
carefully.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list