[dns-operations] chrome's 10 character QNAMEs to detect NXDOMAIN rewriting

Tony Finch dot at dotat.at
Mon Dec 16 11:30:34 UTC 2013


Paul Vixie <paul at redbarn.org> wrote:
> Robert Edmonds wrote:
> > i'm curious as to exactly what this root zone slaved resolver
> > configuration looks like and how it would behave. [...]
>
> > if i understand things right, this config could only be achieved with
> > particular resolver implementations that combine authoritative and
> > recursive service into the same server, and the only implementation i
> > know of that does that is BIND 9. ...

Yadifa says it will do recursive and authoritative service in version 2.
http://www.yadifa.eu/release-300-q3-2013

> this is true.

Except that you could (I think) use Unbound as your resolver and configure
it with a stub zone for the root pointing at a local NSD which slaves the
root.

> [...] any wide-spread support for "root zone hidden slave" would have to
> deal with this. TSIG isn't the answer since the signing key has to be
> secret if we want to prevent MiTM attacks on hidden slave root zone
> content.

TKEY ought to do the trick.

> > ..., here's a crazy idea: now that the root zone is signed, add a 14th
> > root letter, and allow AS112-style service for this new root's service
> > addresses.  that way a local network could serve the root zone locally
> > (not announcing the service prefixes to any of its peers or upstreams),
> > and thus would still have at least one root server available in the case
> > of a catastrophe, and it wouldn't be dependent on any implementation
> > specifics or even configuration settings in the recursive DNS server in
> > order to achieve. [...]
>
> i loved that idea so much that i suggested it to ICANN's Identifier
> Technology Innovation committee (of which i am also a member) a few days
> before i saw the above-quoted text. see 3.(A). in the text located at:
>
> http://mm.icann.org/pipermail/itipanel/2013-November/000017.html

Sounds a lot like the ICANN L-root dense anycast model.
http://blog.icann.org/2012/03/l-root-in-your-pocket/
http://www.menog.org/presentations/menog-10/Dave%20Knight%20-%20Dense%20Anycast%20Deployment%20of%20DNS%20Authority%20Servers.pdf

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.



More information about the dns-operations mailing list