This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] NCC reverse delegation criteria
- Previous message (by thread): [dns-wg] NCC reverse delegation criteria
- Next message (by thread): [dns-wg] NCC reverse delegation criteria
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jonas Frey
jf at probe-networks.de
Tue Jun 11 19:52:18 CEST 2019
> Nope. There are other much more unpleasant impacts: consider cache > poisoning. > > If your authoritative server also handles arbitrary recursive > queries, I can make your name server query my DNS server which tells > lies. Unless your server does DNSSEC validation, it will then spread > these lies for me. Thanks! Worst case, I might even be able to hijack > your authoritative domains by injecting new glue records for those > domains into your server’s cache. > > That said, I’m usually not in favour of preventing people or > companies from doing stupid things - like intermingling recursive and > authoritative DNS servers. [Darwinism will always win in the end.] I > can get paid $$$$ to fix these broken setups. :-) But more > importantly, people tend to learn best from their mistakes because > they then make sure they don’t repeat them. > > As someone once said “The IETF is not in the business of hanging > people. But it does provide plenty of rope.”. I think those comments > apply very well here too. Jim, i am aware of that - it was discussed on the member-discuss list, too. If cache poising is beeing taken care of (be it via DNSSEC or else) what other reasons are there to not combine both? So far, the most important points i do see are amplification and poisioning which both can be mitigated, what am i missing? It seems to me that all documentation regarding this topic is highly outdated (atleast what i have found, see ISC's docs for BIND). Sorry...but once again going into detail on this topic. - Jonas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: This is a digitally signed message part URL: </ripe/mail/archives/dns-wg/attachments/20190611/2d27297f/attachment.sig>
- Previous message (by thread): [dns-wg] NCC reverse delegation criteria
- Next message (by thread): [dns-wg] NCC reverse delegation criteria
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]