[dns-operations] extra records in resolver answer, any benefit?
Paul Vixie
paul at redbarn.org
Wed Jan 28 01:10:13 UTC 2015
> Olafur Gudmundsson <mailto:ogud at ogud.com>
> Tuesday, January 27, 2015 1:22 PM
>
> The original reasoning was to save round trip times and network
> bandwidth.
> This does not hold any more as Dan Kaminsky showed us how to use extra
> data as
> cache poison via forged answers.
>
> In DNS referrals there is value for extra data when name servers are
> below the zone cut.
> In no other situation do I see value for application to see anything
> that is not
> in the first NON-empty response section. (i.e. either Answer or,
> Authority)
>
> I have been thinking about shortening MX answers by only include the
> Answer section and
> violate the server side processing of additional records. If Florian
> and Tony are right then that should be harmless. As in most cases
> these days mail servers are outside the domain.
i'm fine with additional data that's within the bailiwick of a referral,
but also, with data whose owner name matches the qname. so, including
AAAA as additional data for QTYPE=A, and including A as additional data
for QTYPE=AAAA, has no "kaminsky problem", and could save round trips.
note, it has to match the QNAME, not the final owner of a CNAME chain,
to qualify for this treatment.
--
Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150127/e0dd317c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150127/e0dd317c/attachment.jpg>
More information about the dns-operations
mailing list