[dns-operations] Using all the addresses of every name server? (Was: ANY efforts at taking additional responses more compact?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Mon Sep 12 07:15:19 UTC 2016
On Sun, Sep 11, 2016 at 01:43:35PM -0600,
Paul Vixie <paul at redbarn.org> wrote
a message of 49 lines which said:
> > RFC 1034, section 5.3.3 is even clearer "The strategy is to cycle
> > around all of the addresses for all of the servers with a timeout
> > between each transmission."
>
> for the purpose of determining which address is closest, it's certainly
> necessary to try every address.
No, no, the example of the RFC is clearly for resiliency purposes
("with a timeout").
> that won't happen for implementors who treat ICMP type 3 subtype 3
> as an excuse to skip the other addresses attached to a multihomed
> host, because their expectations aren't unreasonable.
Isn't it dangerous for security? ICMP for UDP packets has zero
authentication (there is no equivalent of RFC 5927 for UDP) so an
off-path attacker could easily force the choice of a specific
authoritative name server by generating rogue ICMP.
More information about the dns-operations
mailing list