[dns-wg] NCC reverse delegation criteria

> Nope. There are other much more unpleasant impacts: consider cache
> poisoning.
> 
> If your authoritative server also handles arbitrary recursive
> queries, I can make your name server query my DNS server which tells
> lies. Unless your server does DNSSEC validation, it will then spread
> these lies for me. Thanks! Worst case, I might even be able to hijack
> your authoritative domains by injecting new glue records for those
> domains into your server’s cache.
> 
> That said, I’m usually not in favour of preventing people or
> companies from doing stupid things - like intermingling recursive and
> authoritative DNS servers. [Darwinism will always win in the end.] I
> can get paid $$$$ to fix these broken setups. :-) But more
> importantly, people tend to learn best from their mistakes because
> they then make sure they don’t repeat them.
> 
> As someone once said “The IETF is not in the business of hanging
> people. But it does provide plenty of rope.”. I think those comments
> apply very well here too.

Jim,

i am aware of that - it was discussed on the member-discuss list, too.
If cache poising is beeing taken care of (be it via DNSSEC or else)
what other reasons are there to not combine both?
So far, the most important points i do see are amplification and
poisioning which both can be mitigated, what am i missing?
It seems to me that all documentation regarding this topic is highly
outdated (atleast what i have found, see ISC's docs for BIND).
Sorry...but once again going into detail on this topic.


- Jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: </ripe/mail/archives/dns-wg/attachments/20190611/2d27297f/attachment.sig>