26 Úno
2014
26 Úno
'14
23:57
Ondřej Surý wrote:
If the recursive DNS server emit DNS query for hk.com,
the content of the ADDITIONAL section in the DNS response will be ignored unless its
contents are also under hk.com (that's the bailiwick). This strict checking was
introduced after Kaminsky attack to increase resilience of the DNS. The correctly
behaving resolver should automatically go and get the IP addresses for a.udrtld.net,
b.udrtld.net, ... The resolver can accept those records if it already knows that
X.udrtld.net servers are also responsible for udrtld.net domain name (but the resolver
doesn't know that until he traverses from root zone to X.udrtld.net and at that time
the records are cached, so there's only little to gain by sending the GLUE within
hk.com DNS response).
Actually, the strict checking that you describe was introduced long
before the Kaminsky attack (2008). Maybe you are thinking of the
Kashpureff attack (1997)? E.g., RFC 3833 § 2.3 explicitly mentions this
scenario.
I think the problem here is that the hk.com nameservers are *also*
nameservers for udrtld.net, and the BIND servers are following the
"unless" clause in RFC 2181 § 6.1, "A server for a zone should not
return authoritative answers for queries related to names in another
zone, which includes the NS, and perhaps A, records at a zone cut,
unless it also happens to be a server for the other zone." Note it says
"should not... perhaps... unless". That is a much looser requirement
than "must" :-)
The problem you are mentioning above has nothing to do
with GLUE records returned (or not returned) by the DNS servers. Also the GLUE returned
by .com nameservers (X.gtld-servers.net) is just a coincide of the fact that .com and .net
are run by the same company. And strictly speaking they doesn't have to be there
since they will (or should be) be ignored by the recursive servers.
I don't know that there's anything wrong *in principle* with a recursive
server noticing that .com and .net (or any other set of zones) are
served by exactly the same nameservers and accepting glue records from
within that set of zones, other than that such an implementation would
probably be more complex and require more memory.
--
Robert Edmonds
edmonds(a)debian.org