Re: Additional filtering of responses
"Roy Arends" <roy@nominet.org.uk> Thu, 07 August 2008 17:26 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0F79F3A68CF; Thu, 7 Aug 2008 10:26:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.049
X-Spam-Level:
X-Spam-Status: No, score=-4.049 tagged_above=-999 required=5 tests=[AWL=-0.750, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_UK=1.749, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pyzZrgr4X0uk; Thu, 7 Aug 2008 10:26:46 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7BFD53A67ED; Thu, 7 Aug 2008 10:26:45 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KR9Co-000Fu6-OF for namedroppers-data@psg.com; Thu, 07 Aug 2008 17:23:18 +0000
Received: from [213.248.199.23] (helo=mx3.nominet.org.uk) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <roy@nominet.org.uk>) id 1KR9CJ-000FrS-M7 for namedroppers@ops.ietf.org; Thu, 07 Aug 2008 17:22:49 +0000
DomainKey-Signature: s=main.dk.nominet.selector; d=nominet.org.uk; c=nofws; q=dns; h=X-IronPort-AV:Received:In-Reply-To:References:To:Cc: Subject:MIME-Version:X-Mailer:Message-ID:From:Date: X-MIMETrack:Content-Type; b=L53Js9xCz97NO4F3/o7bC6A4Hb8iDbf1a9GyckLV/28UJeovhFZIdYIi iHNch8+jTwE3POGfoFKIte3dx3M206TMWsOfLAdgM5wA/mKr3q470zIeO lX+F2GLCjQckYEN;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nominet.org.uk; i=roy@nominet.org.uk; q=dns/txt; s=main.dkim.nominet.selector; t=1218129767; x=1249665767; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20"Roy=20Arends"=20<roy@nominet.org.uk>|Subject: =20Re:=20Additional=20filtering=20of=20responses|Date:=20 Thu,=207=20Aug=202008=2019:22:44=20+0200|Message-ID:=20<O FFD89D274.0EB753A2-ON8025749E.005DEB1D-C125749E.005F7431@ nominet.org.uk>|To:=20Paul=20Vixie=20<vixie@isc.org>|Cc: =20Namedroppers=20<namedroppers@ops.ietf.org>,=0D=0A=09vi xie@vix.com,=0D=0A=09Wouter=20Wijngaards=20<wouter@NLnetL abs.nl>|MIME-Version:=201.0|In-Reply-To:=20<55353.1218127 604@nsa.vix.com>|References:=20<489AD5E3.20708@nlnetlabs. nl>=20<45759.1218122552@nsa.vix.com>=20=20<OF8C6AC1F0.001 ADC24-ON8025749E.00576A89-C125749E.005ADCE2@nominet.org.u k>=20<55353.1218127604@nsa.vix.com>; bh=98gNVOETLkeTDzRzyEaR+/2ey+lEsXloWpP1BuomwWU=; b=mwOIF3XRT9DnxzKwS4IgMx9ndXr2V9KMa8QoTi11lFGi701KOXJ1EfBU GYkEkUSg8KErj6u5fWi8aaBLyk44mGip6P6s4f6q7e1VWURQonahpC9u4 UjoJETqzS2jazMO;
X-IronPort-AV: E=Sophos;i="4.31,321,1215385200"; d="scan'208";a="5818904"
Received: from notes1.nominet.org.uk ([213.248.197.128]) by mx3.nominet.org.uk with ESMTP; 07 Aug 2008 18:22:46 +0100
In-Reply-To: <55353.1218127604@nsa.vix.com>
References: <489AD5E3.20708@nlnetlabs.nl> <45759.1218122552@nsa.vix.com> <OF8C6AC1F0.001ADC24-ON8025749E.00576A89-C125749E.005ADCE2@nominet.org.uk> <55353.1218127604@nsa.vix.com>
To: Paul Vixie <vixie@isc.org>
Cc: Namedroppers <namedroppers@ops.ietf.org>, vixie@vix.com, Wouter Wijngaards <wouter@NLnetLabs.nl>
Subject: Re: Additional filtering of responses
MIME-Version: 1.0
X-Mailer: Lotus Notes Build VMac_Beta85_20080115_MM2 January 15, 2008
Message-ID: <OFFD89D274.0EB753A2-ON8025749E.005DEB1D-C125749E.005F7431@nominet.org.uk>
From: Roy Arends <roy@nominet.org.uk>
Date: Thu, 07 Aug 2008 19:22:44 +0200
X-MIMETrack: Serialize by Router on notes1/Nominet(Release 7.0.1FP1 | May 25, 2006) at 07/08/2008 06:22:45 PM, Serialize complete at 07/08/2008 06:22:45 PM
Content-Type: text/plain; charset="US-ASCII"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
vixie@vix.com wrote on 08/07/2008 06:46:44 PM: > From: "Roy Arends" <roy@nominet.org.uk> > > Paul Vixie wrote on 08/07/2008 05:22:32 PM: > > > ... > > > > What does the scripture say about the following, very small (see * below) > > response: > > what am i, your prophet? to hell with the scriptures, here's my take on it. I was trying to address the group in general, you happened to be on the recipient list. Forgot to scrub that ;-) > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37612 > > ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 > > > > ;; QUESTION SECTION: > > ;010a.example. IN A > > > > ;; ANSWER SECTION: > > 010a.example. 86400 IN A 192.0.2.9 > > > > ;; AUTHORITY SECTION: > > example. 86400 IN NS 010a.example. > > > > ;; Query time: 3 msec > > ;; SERVER: 192.0.2.10#53(192.0.2.10) > > > > No glue. No additional section. > > > > Is the address record in the answer section cached? > > yes, since it matches the qname and it's in the zone you were querying. > > > When cached, is 192.0.2.9 considered authoritative now for future lookups > > under example? > > yes, since it was received as an answer, it's presumed to be the same as > the answer one would get by discarding it and re-asking for it. (that's > what's different about this case vs. the additional data case.) > > > Will that NS record ever expire if a query is send once a day ? > > your example shows an authoritative response. your question here is about > expiry and therefore caching. the TTL would tick down, and on the seventh > day it would expire, and a subsequent query would cause us to go back to > the root zone for a new delegation response. > > > With all scrubbing and additional filtering of responses, will this > > response cause a successful cache-(over)write of example NS records? > > yes. > > > No criticism about scrubbers and filters, just curious of what > > implementations do and what the protocol dictates. > > the protocol is horribly weak in terms of datapath protection. the whole > thing is laboratory-grade. the only true fix for any of this is dnssec. > > > Roy Arends > > Nominet. > > > > (*) The wireformat of this DNS message is just 60 octets due to the use > > of compression pointers. > > i think DW (DNS-OARC) has a wiki where stuff like this can be shared, fwiw. Thanks for the pointer. I'll ping DW. > note that RTT banding, to make more random the RDNS' selection of an ADNS, > is another terrible idea (similar to dns-0x20 in its terribleness but also > in the ability to deploy it without a forklift of the whole infrastructure), > which would make it little bit harder to spoof .COM delegation responses. Agree Roy -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: Additional filtering of responses Tony Finch
- Additional filtering of responses Wouter Wijngaards
- OFFTOPIC: DNSSEC groupthink versus improving DNS bert hubert
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: Additional filtering of responses Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- RE: OFFTOPIC: DNSSEC groupthink versus improving … Jesper G. Høy
- Re: Additional filtering of responses Roy Arends
- Re: Additional filtering of responses Paul Vixie
- Forgery resilience idea - wildcard cooperative de… Brian Dickson
- Re: Forgery resilience idea - wildcard cooperativ… Paul Vixie
- Re: Additional filtering of responses Roy Arends
- Re: Forgery resilience idea - wildcard cooperativ… bert hubert
- Re: Forgery resilience idea - wildcard cooperativ… Brian Dickson
- Re: Additional filtering of responses Edward Lewis
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Olaf Kolkman
- Re: Additional filtering of responses Tony Finch
- Re: OFFTOPIC: DNSSEC groupthink versus improving … David Conrad
- Re: OFFTOPIC: DNSSEC groupthink versus improving … bert hubert
- Re: Additional filtering of responses Edward Lewis
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Federico Lucifredi
- Re: Additional filtering of responses Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: Additional filtering of responses Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Brian Dickson
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Brian Dickson
- Re: Additional filtering of responses Masataka Ohta
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: Additional filtering of responses Masataka Ohta
- Re: Additional filtering of responses Roy Arends
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ralf Weber
- Re: Additional filtering of responses Masataka Ohta
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: Additional filtering of responses Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ralf Weber
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Alex Bligh
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … sthaug
- Re: OFFTOPIC: DNSSEC groupthink versus improving … bert hubert
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: Additional filtering of responses Peter Koch
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Please stop this thread (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Otmar Lendl
- Re: Please stop this thread (was: OFFTOPIC: DNSSE… Matt Larson
- Re: Please stop this thread (was: OFFTOPIC: DNSSE… David Conrad
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ben Laurie
- how many angels can dance on the head of a pin? bmanning
- Re: how many angels can dance on the head of a pi… Duane at e164 dot org
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Florian Weimer
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… sthaug
- Re: how many angels can dance on the head of a pi… Ben Laurie
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Ben Laurie
- Re: how many angels can dance on the head of a pi… Paul Vixie
- Re: how many angels can dance on the head of a pi… Paul Hoffman
- Re: how many angels can dance on the head of a pi… bmanning
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Havard Eidnes
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- DNSSEC on autopilot (was: OFFTOPIC: DNSSEC groupt… Otmar Lendl
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Otmar Lendl
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Mark Andrews
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan