[dns-operations] DNS Security Advisory (infinite recursion)
Robert Edmonds
edmonds at mycre.ws
Tue Dec 9 18:17:03 UTC 2014
Tony Finch wrote:
> I just saw this bit in RFC 1034 page 34/35
>
> Step 2 looks for a name server to ask for the required data. [...] Set up
> their addresses using local data. It may be the case that the addresses
> are not available. The resolver has many choices here; the best is to
> start parallel resolver processes looking for the addresses while
> continuing onward with the addresses which are available. Obviously, the
> design choices and options are complicated and a function of the local
> host's capabilities. The recommended priorities for the resolver designer
> are:
>
> 1. Bound the amount of work (packets sent, parallel processes
> started) so that a request can't get into an infinite loop or
> start off a chain reaction of requests or queries with other
> implementations EVEN IF SOMEONE HAS INCORRECTLY CONFIGURED
> SOME DATA.
>
> ... So I guess Jeeves wasn't vulnerable to this bug?
BTW, there's also RFC 4697 / BCP 123 which appears to have two contradictory
recommendations:
2.3. Inability to Follow Multiple Levels of Indirection
[...]
2.3.1. Recommendation
Clearly constructing a delegation that relies on multiple levels of
indirection is not a good administrative practice. However, the
practice is widespread enough to require that iterative resolvers be
able to cope with it. Iterative resolvers SHOULD be able to handle
arbitrary levels of indirection resulting from out-of-zone name
servers. Iterative resolvers SHOULD implement a level-of-effort
counter to avoid loops or otherwise performing too much work in
resolving pathological cases.
[...]
You can support an unbounded (sorry) amount of indirection, or a bounded
amount of indirection, but not both.
--
Robert Edmonds
More information about the dns-operations
mailing list