[dns-operations] DNS Security Advisory (infinite recursion)

Robert Edmonds edmonds at mycre.ws
Tue Dec 9 18:17:03 UTC 2014

Tony Finch wrote:
> I just saw this bit in RFC 1034 page 34/35
> Step 2 looks for a name server to ask for the required data.  [...] Set up
> their addresses using local data.  It may be the case that the addresses
> are not available.  The resolver has many choices here; the best is to
> start parallel resolver processes looking for the addresses while
> continuing onward with the addresses which are available.  Obviously, the
> design choices and options are complicated and a function of the local
> host's capabilities.  The recommended priorities for the resolver designer
> are:
>    1. Bound the amount of work (packets sent, parallel processes
>       started) so that a request can't get into an infinite loop or
>       start off a chain reaction of requests or queries with other
>       SOME DATA.
> ... So I guess Jeeves wasn't vulnerable to this bug?

BTW, there's also RFC 4697 / BCP 123 which appears to have two contradictory

    2.3.  Inability to Follow Multiple Levels of Indirection


    2.3.1.  Recommendation

       Clearly constructing a delegation that relies on multiple levels of
       indirection is not a good administrative practice.  However, the
       practice is widespread enough to require that iterative resolvers be
       able to cope with it.  Iterative resolvers SHOULD be able to handle
       arbitrary levels of indirection resulting from out-of-zone name
       servers.  Iterative resolvers SHOULD implement a level-of-effort
       counter to avoid loops or otherwise performing too much work in
       resolving pathological cases.


You can support an unbounded (sorry) amount of indirection, or a bounded
amount of indirection, but not both.

Robert Edmonds

More information about the dns-operations mailing list