Re: NGtrans - DNSext joint meeting, call for participation

[gson@nominum.com (Andreas Gustafsson)]

Matt Crawford writes:
> I offer
> http://home.fnal.gov/~crawdad/draft-ietf-dnsext-ipv6-dns-response-00.txt

I would like to comment on section 1.3:

>     1.3.  DNSSEC - Aggravation or Amelioration?
> 
>     An extreme case of A6 deployment (some might say a nightmare case),
>     in the A6 record for each portion of an address is in a zone
>     belonging to the party by whom that set of bits has been assigned.
>     This is a situation which is improved by ubiquitous use of DNSSEC
>     [DNSSEC] since the leaf site can cache authenticated data for its
>     entire prefix chain and a DNS client can confidently accept that
>     data without having to make extra queries.

You seem to be suggesting that if or when DNSSEC is deployed,
authoritative servers should start actively caching data related to
the data they are authoritative for, and resolvers (aka caching
servers) should start making use of response data outside the domain
for which the authoritative server is being queried, rather than
discarding it like current resolvers do.

I disagree.  Having authoritative servers send such cached data, and
having resolvers accept it, is a bad idea whether or not DNSSEC is
being used.  If a DNSSEC aware resolver accepts data from a poisoned
cache, DNSSEC will detect the poisoning, but this does not in any way
guarantee that the resolution will succeed - in practice, a much more
likely outcome is that a security error is returned to the client.
This could be exploited for denial of service attacks.
-- 
Andreas Gustafsson, gson@nominum.com


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.