[dns-operations] Another possible .gov validation problem?

Edward Lewis Ed.Lewis at neustar.biz
Mon Feb 14 14:29:33 UTC 2011


At 8:15 +0000 2/14/11, George Barwood wrote:

>The practical issue here is detecting that there actually IS a problem.

Even if name server code evolved to look at inter-zone implications 
as 2181 hints towards, this would not eliminate the problem of 
NXDOMAIN vs. SERVFAIL.

>In another context (glue), RFC 2181 says this
>
>    Where a server can detect from two zone files
>    that one or more are incorrectly configured, so as to create
>    conflicts, it should refuse to load the zones determined to be
>    erroneous, and issue suitable diagnostics.

Even if this happened, it would not find this situation:

Machine A has zone X
Machine B has zone X and zone A.B.X
Machine C has zone B.X

In B.X there is no delegation to A.B.X.

Queries to A would return NXDOMAIN for WWW.A.B.X.
Queries to B would *result* in SERVAIL for WWW.A.B.X. when validated 
by a recursive server.

The deal here is that Machine B does not have the middle zone and 
doesn't know A.B.X is illegitimate.  The unstated principle tha plays 
a role in this is that no server contacts any other server during the 
loading phase, for performance reasons.  So Machine B won't 
"discover" what's in Machine C.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Me to infant son: "Waah! Waah! Is that all you can say?  Waah?"
Son: "Waah!"



More information about the dns-operations mailing list