IETF Logo Mail Archive

Re: Extra records in zone transfers

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Sat, 17 March 2001 23:42 UTC

Received: from psg.com (exim@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id SAA10378 for <dnsext-archive@lists.ietf.org>; Sat, 17 Mar 2001 18:42:46 -0500 (EST)
Received: from lserv by psg.com with local (Exim 3.16 #1) id 14ePtd-000Ajs-00 for namedroppers-data@psg.com; Sat, 17 Mar 2001 15:14:05 -0800
Received: from pcp000512pcs.wireless.meeting.ietf.org ([135.222.64.12] helo=roam.psg.com ident=root) by psg.com with esmtp (Exim 3.16 #1) id 14ePtb-000Ajm-00 for namedroppers@ops.ietf.org; Sat, 17 Mar 2001 15:14:03 -0800
Received: from randy by roam.psg.com with local (Exim 3.20 #1) id 14ePta-0002ef-00 for namedroppers@ops.ietf.org; Sat, 17 Mar 2001 15:14:02 -0800
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Message-Id: <200103172254.HAA03218@necom830.hpcl.titech.ac.jp>
Received: by necom830.hpcl.titech.ac.jp (8.6.11/TM2.1) id HAA03218; Sun, 18 Mar 2001 07:53:49 +0859
Subject: Re: Extra records in zone transfers
To: djb@cr.yp.to
Date: Sun, 18 Mar 2001 07:53:47 -0000
Cc: namedroppers@ops.ietf.org
In-Reply-To: <20010317142817.24001.qmail@cr.yp.to>; from "D. J. Bernstein" at Mar 18, 101 12:43 am
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Content-Transfer-Encoding: 7bit

Dan;

> Andreas Gustafsson writes:
>   [ aol.com records in a zone transferred from princeton.edu ]
> > it may be used as glue in referrals
> 
> No. That is completely unacceptable from a security perspective.
> 
> Consider, as an easy example, a server handling both the .net zone and
> the microsoft.net zone. Suppose the microsoft.net people say
> 
>    blah.microsoft.net NS ns.slashdot.net
>    ns.slashdot.net A 207.46.232.37
> 
> in an AXFR response to this server. It is essential for the server to
> discard the glue A record; otherwise it will poison caches, because
> caches trust ns.slashdot.net information from .net servers.

In an AXFR, exactly what is contained in the master zone file
is transferred.

The primary server transmit exactly what is contained in a master
zone file of a zone.

Secondary servers transmit exactly what is received from upstream
server.

AXFR and IXFR has nothing to do with caching.

> My servers use a redesigned unified configuration-file format,

Your server is wrongly implemented, then.

(FYI, last time I checked BIND code in detail several years ago, it was
wrong too.)

Glue information is local to a zone (actually, local to a referral point
that same name server may have different A records referral by referral,
though such information can not be represented by standard zone file or
zone transfer format), that same name server may have different A
records zone by zone.

That is the reality of the database and the behaviour is not forbidden
by the specification.

Thus, glue information may be chached not in global cache but in
cache local to a zone (or, better, local to a referral point).

Then, different A records from different referral points can be cached
independently and replies can choose appropriate chache.

Note that your server is wrongly implemented in a way not directly
related to AXFR nor IXFR that, if you want to continue this thread
on correct chaching, you should better use a subject like "multiple
chache".

							Masataka Ohta


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

v2.39.1 | Report a Bug | By Email | System Status