Dealing with the NS RRSet [Re: Why *can* cached DNS replies be overwritten?]
Peter Koch <pk@DENIC.DE> Tue, 12 August 2008 12:19 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4EBC63A6A5B; Tue, 12 Aug 2008 05:19:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.39
X-Spam-Level:
X-Spam-Status: No, score=-4.39 tagged_above=-999 required=5 tests=[AWL=-1.140, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8NOdeWvsh79C; Tue, 12 Aug 2008 05:19:03 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 877C13A6833; Tue, 12 Aug 2008 05:19:03 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KSsgy-000H5B-Mm for namedroppers-data@psg.com; Tue, 12 Aug 2008 12:09:36 +0000
Received: from [81.91.160.182] (helo=office.denic.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <pk@DENIC.DE>) id 1KSsgp-000H49-Kr for namedroppers@ops.ietf.org; Tue, 12 Aug 2008 12:09:34 +0000
Received: from denic.de ([10.122.65.106]) by office.denic.de with esmtp id 1KSsgm-0005Bo-Gk; Tue, 12 Aug 2008 14:09:24 +0200
Received: by unknown.office.denic.de (Postfix, from userid 501) id 6A25E7E55F5; Tue, 12 Aug 2008 14:09:24 +0200 (CEST)
Date: Tue, 12 Aug 2008 14:09:23 +0200
From: Peter Koch <pk@DENIC.DE>
To: Antoin Verschuren <Antoin.Verschuren@sidn.nl>
Cc: IETF DNSEXT WG <namedroppers@ops.ietf.org>
Subject: Dealing with the NS RRSet [Re: Why *can* cached DNS replies be overwritten?]
Message-ID: <20080812120923.GB39395@unknown.office.denic.de>
References: <20080811190427.GD9082@cgi.jachomes.com> <B33086268D53A0429A3AA2774C83892C02E6D330@KAEVS1.SIDN.local>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <B33086268D53A0429A3AA2774C83892C02E6D330@KAEVS1.SIDN.local>
User-Agent: Mutt/1.4.2.1i
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
On Tue, Aug 12, 2008 at 10:31:21AM +0200, Antoin Verschuren wrote: > I actually like the simple behavior that an authoritative answer can override an already cached answer. > It's efficient, and follows the simple rule that an authorative answer can be cached. well, I had read your earlier comments slightly differently, especially w.r.t. the "name server lock-in" problem. > It only goes wrong if people don't maintain their DNS entries operationally, and forget to delete entries they are no longer authoritative for. ... or aren't informed or don't cooperate for other reasons. We know how to gracefully migrate from one NS RRSet do another, even disjoint, one, but we also know that this migration doesn't really happen that often in today's mass hosting environments. But can catch two birds with one stone here, I believe: Let's see what different flavors the forged responses can have: ----------------------------------------------------------------------------- ;; QUESTION SECTION: ;345678.example.org. IN A ;; ANSWER SECTION: 345678.example.org. 3600 IN A 192.0.2.1 ;; AUTHORITY SECTION: example.org. 3600 IN NS ns1.example.org. example.org. 3600 IN NS ns2.example.net. ;; ADDITIONAL SECTION: ns1.example.org. 3600 IN A 10.0.0.42 www.example.org. 3600 IN A 192.0.2.80 ----------------------------------------------------------------------------- Unsolicited additional information should already be ignored and data from the additional section shouldn't overwrite a (previous) authoritative answer as per RFC 2181. 0 points. ----------------------------------------------------------------------------- ;; QUESTION SECTION: ;345678.example.org. IN A ;; ANSWER SECTION: 345678.example.org. 3600 IN A 192.0.2.1 ;; AUTHORITY SECTION: example.org. 3600 IN NS www.example.org. example.org. 3600 IN NS ns2.example.net. ;; ADDITIONAL SECTION: www.example.org. 3600 IN A 192.0.2.80 ----------------------------------------------------------------------------- The additional section data is logically justified, but RFC 2181 helps. 0 points. ----------------------------------------------------------------------------- ;; QUESTION SECTION: ;345678.example.org. IN A ;; ANSWER SECTION: 345678.example.org. 3600 IN A 192.0.2.1 ;; AUTHORITY SECTION: example.org. 3600 IN NS evil1.example.net. example.org. 3600 IN NS evil2.example.net. ----------------------------------------------------------------------------- Now, to have gotten here, the resolver has already followed a referral. In theory, the referral and the authoritative data are always in sync, so there's no need to replace one with the other. In practice, though, the authoritative NS RRSet is the more credible one. Distinguish between a referral NS RRSet and an "authoritative" NS RRSet (quotes because it stems from the authoritative source, but isn't formally covered by the AA bit): let the latter _only_ overwrite the former. This brings back the window of opportunity whose size is determined by the TTL of the "authoritative" NS RRSet. However, there's a remaining risk here at those levels where a positive authoritative response does not normally occur under normal operations, most prominently most of the TLDs. ----------------------------------------------------------------------------- ;; QUESTION SECTION: ;345678.example.org. IN A ;; ANSWER SECTION: 345678.example.org. 3600 IN A 192.0.2.1 ;; AUTHORITY SECTION: example.org. 3600 IN NS 345678.example.org. ----------------------------------------------------------------------------- Same as above. It's the NS RRSet, not the address data. > In the DNS hierarchy, you don't want every query to hit the root. > My concern is that if records always expire, like Unbound does, parent nameservers are hit more. Sure, but this is hard to predict. It depends on the relation of TTLs between both NS RRSets as well as the TTLs of the authoritative NS RRSet and the TTL of the data you're actually interested in. But, isn't the phantom referral the really hard one: ----------------------------------------------------------------------------- ;; QUESTION SECTION: ;345678.www.example.org. IN A ;; AUTHORITY SECTION: www.example.org. 3600 IN NS evil1.example.net. www.example.org. 3600 IN NS evil2.example.net. ----------------------------------------------------------------------------- What are mitigation techniques here? o let the resolver remember the (potentially invisible) zone cut o expire all RRSets atthe same owner at once (bad effect on the parent) o really delegate at every level (have fun with IP6.ARPA and ENUM) o ... -Peter -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: Why *can* cached DNS replies be overwritten? Olafur Gudmundsson
- Why *can* cached DNS replies be overwritten? Jay R. Ashworth
- Re: Why *can* cached DNS replies be overwritten? bert hubert
- RE: Why *can* cached DNS replies be overwritten? Antoin Verschuren
- Dealing with the NS RRSet [Re: Why *can* cached D… Peter Koch
- Re: Dealing with the NS RRSet [Re: Why *can* cach… Tony Finch
- Re: Dealing with the NS RRSet [Re: Why *can* cach… Florian Weimer
- Re: Why *can* cached DNS replies be overwritten? Paul Vixie
- Re: Dealing with the NS RRSet [Re: Why *can* cach… Peter Koch
- Re: Dealing with the NS RRSet [Re: Why *can* cach… Tony Finch