[dns-operations] DNS trust dependencies for TLDs

Mark Andrews marka at isc.org
Mon Jun 15 03:42:57 UTC 2009

In message <d791b8790906141716w14e74fe3wc1cf3904cf348492 at mail.gmail.com>, Matthew Dempsky writes:
> On Sun, Jun 14, 2009 at 4:48 PM, Mark Andrews<marka at isc.org> wrote:
> > =A0 =A0 =A0 =A0What DoS attacks? =A0TLD's changing from delegation only t=
> o
> > =A0 =A0 =A0 =A0having in zone data is not a DoS attack, it is a design
> > =A0 =A0 =A0 =A0feature.
> Suppose a BIND cache is configured with .so as a delegation-only zone
> (e.g., according to https://www.isc.org/node/355).  My understanding
> of the delegation-only setting is that if an attacker sends an
> explicit A query for a.nic.so to this BIND cache, it will first ask
> the root servers, receive a delegation to the .so servers; then it
> will try to ask a .so server, but because .so is delegation-only, BIND
> will discard the response and instead cache it as NXDOMAIN.  The
> attacker can then repeat this for {b,c,d,e}.nic.so, so BIND will no
> longer know any .so name server addresses, and so future queries
> within the .so zone will fail.
> Do I misunderstand?

	If you turn delegation-only on and the zone is not a
	delegation-only zone then some lookups will be translated.
	If the translated answer happens to be for a address of a
	nameserver then lookups will break.  This is what is expected
	to happen.

	delegation-only comes with warnings saying not to apply it
	to non-delegation-only zones.  SO is not a delegation-only
	zone so you shouldn't turn it on for SO.

	delegation-only is a cocked loaded gun and should be used

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list