[dns-operations] Using all the addresses of every name server? (Was: ANY efforts at taking additional responses more compact?

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Sep 12 07:15:19 UTC 2016

On Sun, Sep 11, 2016 at 01:43:35PM -0600,
 Paul Vixie <paul at redbarn.org> wrote 
 a message of 49 lines which said:

> > RFC 1034, section 5.3.3 is even clearer "The strategy is to cycle
> > around all of the addresses for all of the servers with a timeout
> > between each transmission."
> for the purpose of determining which address is closest, it's certainly
> necessary to try every address.

No, no, the example of the RFC is clearly for resiliency purposes
("with a timeout").

> that won't happen for implementors who treat ICMP type 3 subtype 3
> as an excuse to skip the other addresses attached to a multihomed
> host, because their expectations aren't unreasonable.
Isn't it dangerous for security? ICMP for UDP packets has zero
authentication (there is no equivalent of RFC 5927 for UDP) so an
off-path attacker could easily force the choice of a specific
authoritative name server by generating rogue ICMP.

More information about the dns-operations mailing list