[dns-operations] How many kinds of DNS DoS attacks are we trying to stop ?

Tony Finch dot at dotat.at
Fri Sep 28 09:00:09 UTC 2012


Phil Pennock <dnsop+phil at spodhuis.org> wrote:

> > Also, in-bailiwick is the wrong term since it includes sub-zones which
> > might be hosted elsewhere. Additional section processing doesn't require a
> > server to retrieve data it doesn't already have.
>
> From the perspective of a client trying to decide whether to trust or
> not, in-bailiwick is the only view they have; they won't probe to
> distinguish if the ADDITIONAL section records are in a sub-zone.  I
> could have written "any in-bailiwick answers which the server has
> available", to include AA and glue entries (which can still be included
> in the zone-file, although it obviously becomes a maintenance nightmare
> to do that for anything more than NS glue records).

I don't understand what bailiwicks or glue records have to do with MX targets.

> > Clients are allowed to assume that records are not dropped from the middle
> > of truncated responses, because that is forbidden by section 6.2 of RFC
> > 1035.
>
> And yet some do, which is why Bind is stricter than the RFC requires it
> to be and will only truncate at the end.

No I think it is exactly as strict as the RFC requires. If anything there
is a bug in the EDNS spec since it doesn't explicitly amend the truncation
rules to allow records to be dropped from preceding sections.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.



More information about the dns-operations mailing list