[dns-operations] DNS Security Advisory (infinite recursion)

Mukund Sivaraman muks at isc.org
Wed Dec 10 07:34:39 UTC 2014


Hi Robert

On Tue, Dec 09, 2014 at 01:17:03PM -0500, Robert Edmonds wrote:
> BTW, there's also RFC 4697 / BCP 123 which appears to have two contradictory
> recommendations:
> 
>     2.3.  Inability to Follow Multiple Levels of Indirection
> 
>     [...]
> 
>     2.3.1.  Recommendation
> 
>        Clearly constructing a delegation that relies on multiple levels of
>        indirection is not a good administrative practice.  However, the
>        practice is widespread enough to require that iterative resolvers be
>        able to cope with it.  Iterative resolvers SHOULD be able to handle
>        arbitrary levels of indirection resulting from out-of-zone name
>        servers.  Iterative resolvers SHOULD implement a level-of-effort
>        counter to avoid loops or otherwise performing too much work in
>        resolving pathological cases.
> 
>     [...]
> 
> You can support an unbounded (sorry) amount of indirection, or a bounded
> amount of indirection, but not both.

By "arbitrary", I understand that it should be configurable (according
to its dictionary definition). It doesn't mean that the number of levels
of indirection is not bounded. Hence, the level-of-effort counter too.

		Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141210/eb4458ab/attachment.sig>


More information about the dns-operations mailing list