[dns-operations] DNS Security Advisory (infinite recursion)
Mukund Sivaraman
muks at isc.org
Wed Dec 10 07:34:39 UTC 2014
Hi Robert
On Tue, Dec 09, 2014 at 01:17:03PM -0500, Robert Edmonds wrote:
> BTW, there's also RFC 4697 / BCP 123 which appears to have two contradictory
> recommendations:
>
> 2.3. Inability to Follow Multiple Levels of Indirection
>
> [...]
>
> 2.3.1. Recommendation
>
> Clearly constructing a delegation that relies on multiple levels of
> indirection is not a good administrative practice. However, the
> practice is widespread enough to require that iterative resolvers be
> able to cope with it. Iterative resolvers SHOULD be able to handle
> arbitrary levels of indirection resulting from out-of-zone name
> servers. Iterative resolvers SHOULD implement a level-of-effort
> counter to avoid loops or otherwise performing too much work in
> resolving pathological cases.
>
> [...]
>
> You can support an unbounded (sorry) amount of indirection, or a bounded
> amount of indirection, but not both.
By "arbitrary", I understand that it should be configurable (according
to its dictionary definition). It doesn't mean that the number of levels
of indirection is not bounded. Hence, the level-of-effort counter too.
Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141210/eb4458ab/attachment.sig>
More information about the dns-operations
mailing list