[dns-operations] dmdc.osd.mil and osd.mil
tmorizot at gmail.com
Sat Nov 16 05:03:19 UTC 2013
On Fri, Nov 15, 2013 at 7:24 PM, Mark Andrews <marka at isc.org> wrote:
> Because too many authoritative servers are broken.
Yes, that's true. It's been true for a long time. Yet it seems to me like
there should be limits to what you accept. Even so, it takes a particular
degree or effort or neglect to significantly break DNS. We've been strictly
validating (and strict on what we accept from external sources even in
situations that aren't strictly related to validation as in this case) for
more than two years now. And this is the first time we've encountered this
particular sort of breakage.
Admittedly, I have the luxury of working in an organization where we
strictly control the perimeter and we actually can tell any of our 100k or
so employees that the other organization has broken their DNS and for
security reasons we won't be able to resolve their zone until they fix it.
I do understand the very different pressures an ISP faces, especially when
we're still on this side of the curve toward actually securing DNS.
Even so, it's not easy to achieve the particular sort of breakage I
described. And it's apparently a pretty uncommon way to break your
authoritative DNS. At least, it's the only such instance we've encountered
to date. Why would a caching nameserver accept and utilize a
non-authoritative response from an authoritative nameserver? That's the
part I don't understand. The brokenness will never get fixed if everyone
treats it as acceptable.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations