[dns-operations] DNS Security Advisory (infinite recursion)

Robert Edmonds edmonds at mycre.ws
Fri Dec 12 15:08:14 UTC 2014


Mukund Sivaraman wrote:
> On Tue, Dec 09, 2014 at 01:17:03PM -0500, Robert Edmonds wrote:
> > BTW, there's also RFC 4697 / BCP 123 which appears to have two contradictory
> > recommendations:
> > 
> >     2.3.  Inability to Follow Multiple Levels of Indirection
> > 
> >     [...]
> > 
> >     2.3.1.  Recommendation
> > 
> >        Clearly constructing a delegation that relies on multiple levels of
> >        indirection is not a good administrative practice.  However, the
> >        practice is widespread enough to require that iterative resolvers be
> >        able to cope with it.  Iterative resolvers SHOULD be able to handle
> >        arbitrary levels of indirection resulting from out-of-zone name
> >        servers.  Iterative resolvers SHOULD implement a level-of-effort
> >        counter to avoid loops or otherwise performing too much work in
> >        resolving pathological cases.
> > 
> >     [...]
> > 
> > You can support an unbounded (sorry) amount of indirection, or a bounded
> > amount of indirection, but not both.
> 
> By "arbitrary", I understand that it should be configurable (according
> to its dictionary definition). It doesn't mean that the number of levels
> of indirection is not bounded. Hence, the level-of-effort counter too.

That is not my impression from reading the whole section in context.
"Arbitrary levels of indirection resulting from out-of-zone name
servers", seems to refer to the levels of arbitrariness selected by the
"out-of-zone name servers", not an arbitrary limit imposed by the
iterative resolver.

Anyway, the ANSSI report has now been released:

http://www.ssi.gouv.fr/en/the-anssi/events/vulnerabilty-disclosure-the-infinitely-delegating-name-servers-idns-attack.html

-- 
Robert Edmonds



More information about the dns-operations mailing list