[dns-operations] DNS Security Advisory (infinite recursion)
edmonds at mycre.ws
Fri Dec 12 15:08:14 UTC 2014
Mukund Sivaraman wrote:
> On Tue, Dec 09, 2014 at 01:17:03PM -0500, Robert Edmonds wrote:
> > BTW, there's also RFC 4697 / BCP 123 which appears to have two contradictory
> > recommendations:
> > 2.3. Inability to Follow Multiple Levels of Indirection
> > [...]
> > 2.3.1. Recommendation
> > Clearly constructing a delegation that relies on multiple levels of
> > indirection is not a good administrative practice. However, the
> > practice is widespread enough to require that iterative resolvers be
> > able to cope with it. Iterative resolvers SHOULD be able to handle
> > arbitrary levels of indirection resulting from out-of-zone name
> > servers. Iterative resolvers SHOULD implement a level-of-effort
> > counter to avoid loops or otherwise performing too much work in
> > resolving pathological cases.
> > [...]
> > You can support an unbounded (sorry) amount of indirection, or a bounded
> > amount of indirection, but not both.
> By "arbitrary", I understand that it should be configurable (according
> to its dictionary definition). It doesn't mean that the number of levels
> of indirection is not bounded. Hence, the level-of-effort counter too.
That is not my impression from reading the whole section in context.
"Arbitrary levels of indirection resulting from out-of-zone name
servers", seems to refer to the levels of arbitrariness selected by the
"out-of-zone name servers", not an arbitrary limit imposed by the
Anyway, the ANSSI report has now been released:
More information about the dns-operations