IETF Logo Mail Archive

Re: Additional filtering of responses

Paul Vixie <vixie@isc.org> Thu, 07 August 2008 16:52 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 89CB03A6902; Thu, 7 Aug 2008 09:52:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.705
X-Spam-Level:
X-Spam-Status: No, score=-0.705 tagged_above=-999 required=5 tests=[AWL=1.894, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WLW3C4t3jK58; Thu, 7 Aug 2008 09:52:08 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 8E3AC3A67B3; Thu, 7 Aug 2008 09:52:08 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KR8dZ-000CBq-Mu for namedroppers-data@psg.com; Thu, 07 Aug 2008 16:46:53 +0000
Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <vixie@vix.com>) id 1KR8dV-000CBN-V6 for namedroppers@ops.ietf.org; Thu, 07 Aug 2008 16:46:51 +0000
Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id A9B74A6534; Thu, 7 Aug 2008 16:46:44 +0000 (UTC) (envelope-from vixie@nsa.vix.com)
From: Paul Vixie <vixie@isc.org>
To: Roy Arends <roy@nominet.org.uk>
cc: Namedroppers <namedroppers@ops.ietf.org>, Wouter Wijngaards <wouter@NLnetLabs.nl>
In-Reply-To: Your message of "Thu, 07 Aug 2008 18:32:35 +0200." <OF8C6AC1F0.001ADC24-ON8025749E.00576A89-C125749E.005ADCE2@nominet.org.uk>
References: <489AD5E3.20708@nlnetlabs.nl> <45759.1218122552@nsa.vix.com> <OF8C6AC1F0.001ADC24-ON8025749E.00576A89-C125749E.005ADCE2@nominet.org.uk>
X-Mailer: MH-E 8.0.3; nil; GNU Emacs 22.2.1
Date: Thu, 07 Aug 2008 16:46:44 +0000
Message-ID: <55353.1218127604@nsa.vix.com>
MIME-Version: 1.0
X-Vix-MailScanner-Information: Please contact the ISP for more information
X-MailScanner-ID: A9B74A6534.D2A34
X-Vix-MailScanner: Found to be clean
X-Vix-MailScanner-From: vixie@vix.com
Subject: Re: Additional filtering of responses
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

From: "Roy Arends" <roy@nominet.org.uk>
> Paul Vixie wrote on 08/07/2008 05:22:32 PM:
> > ...
> 
> What does the scripture say about the following, very small (see * below) 
> response:

what am i, your prophet?  to hell with the scriptures, here's my take on it.

> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37612
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;010a.example.          IN      A
> 
> ;; ANSWER SECTION:
> 010a.example.           86400   IN      A       192.0.2.9
> 
> ;; AUTHORITY SECTION:
> example.                86400   IN      NS      010a.example.
> 
> ;; Query time: 3 msec
> ;; SERVER: 192.0.2.10#53(192.0.2.10)
> 
> No glue. No additional section. 
> 
> Is the address record in the answer section cached? 

yes, since it matches the qname and it's in the zone you were querying.

> When cached, is 192.0.2.9 considered authoritative now for future lookups 
> under example? 

yes, since it was received as an answer, it's presumed to be the same as
the answer one would get by discarding it and re-asking for it.  (that's
what's different about this case vs. the additional data case.)

> Will that NS record ever expire if a query is send once a day ?

your example shows an authoritative response.  your question here is about
expiry and therefore caching.  the TTL would tick down, and on the seventh
day it would expire, and a subsequent query would cause us to go back to
the root zone for a new delegation response.

> With all scrubbing and additional filtering of responses, will this 
> response cause a successful cache-(over)write of example NS records?

yes.

> No criticism about scrubbers and filters, just curious of what 
> implementations do and what the protocol dictates.

the protocol is horribly weak in terms of datapath protection.  the whole
thing is laboratory-grade.  the only true fix for any of this is dnssec.

> Roy Arends
> Nominet.
> 
> (*) The wireformat of this DNS message is just 60 octets due to the use
> of compression pointers.

i think DW (DNS-OARC) has a wiki where stuff like this can be shared, fwiw.

note that RTT banding, to make more random the RDNS' selection of an ADNS,
is another terrible idea (similar to dns-0x20 in its terribleness but also
in the ability to deploy it without a forklift of the whole infrastructure),
which would make it little bit harder to spoof .COM delegation responses.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email