[dns-operations] DNS Security Advisory (infinite recursion)
Robert Edmonds
edmonds at mycre.ws
Fri Dec 12 15:08:14 UTC 2014
Mukund Sivaraman wrote:
> On Tue, Dec 09, 2014 at 01:17:03PM -0500, Robert Edmonds wrote:
> > BTW, there's also RFC 4697 / BCP 123 which appears to have two contradictory
> > recommendations:
> >
> > 2.3. Inability to Follow Multiple Levels of Indirection
> >
> > [...]
> >
> > 2.3.1. Recommendation
> >
> > Clearly constructing a delegation that relies on multiple levels of
> > indirection is not a good administrative practice. However, the
> > practice is widespread enough to require that iterative resolvers be
> > able to cope with it. Iterative resolvers SHOULD be able to handle
> > arbitrary levels of indirection resulting from out-of-zone name
> > servers. Iterative resolvers SHOULD implement a level-of-effort
> > counter to avoid loops or otherwise performing too much work in
> > resolving pathological cases.
> >
> > [...]
> >
> > You can support an unbounded (sorry) amount of indirection, or a bounded
> > amount of indirection, but not both.
>
> By "arbitrary", I understand that it should be configurable (according
> to its dictionary definition). It doesn't mean that the number of levels
> of indirection is not bounded. Hence, the level-of-effort counter too.
That is not my impression from reading the whole section in context.
"Arbitrary levels of indirection resulting from out-of-zone name
servers", seems to refer to the levels of arbitrariness selected by the
"out-of-zone name servers", not an arbitrary limit imposed by the
iterative resolver.
Anyway, the ANSSI report has now been released:
http://www.ssi.gouv.fr/en/the-anssi/events/vulnerabilty-disclosure-the-infinitely-delegating-name-servers-idns-attack.html
--
Robert Edmonds
More information about the dns-operations
mailing list