IETF Logo Mail Archive

Re: Extra records in zone transfers

"D. J. Bernstein" <djb@cr.yp.to> Sat, 17 March 2001 15:37 UTC

Received: from psg.com (exim@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA07105 for <dnsext-archive@lists.ietf.org>; Sat, 17 Mar 2001 10:37:15 -0500 (EST)
Received: from lserv by psg.com with local (Exim 3.16 #1) id 14eIGm-0003OJ-00 for namedroppers-data@psg.com; Sat, 17 Mar 2001 07:05:28 -0800
Received: from [135.222.64.10] (helo=roam.psg.com ident=root) by psg.com with esmtp (Exim 3.16 #1) id 14eIGl-0003OD-00 for namedroppers@ops.ietf.org; Sat, 17 Mar 2001 07:05:27 -0800
Received: from randy by roam.psg.com with local (Exim 3.20 #1) id 14eIGk-0002Ei-00 for namedroppers@ops.ietf.org; Sat, 17 Mar 2001 07:05:26 -0800
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Date: Sat, 17 Mar 2001 14:28:17 -0000
Message-ID: <20010317142817.24001.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: namedroppers@ops.ietf.org
Subject: Re: Extra records in zone transfers
References: <20010315135603.13247.qmail@cr.yp.to> <Pine.LNX.4.30.0103151626160.17172-100000@localhost.localdomain> <20010316103542.14117.qmail@cr.yp.to> <200103162113.NAA17071@gulag.araneus.fi>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Content-Transfer-Encoding: 7bit

Andreas Gustafsson writes:
  [ aol.com records in a zone transferred from princeton.edu ]
> it may be used as glue in referrals

No. That is completely unacceptable from a security perspective.

Consider, as an easy example, a server handling both the .net zone and
the microsoft.net zone. Suppose the microsoft.net people say

   blah.microsoft.net NS ns.slashdot.net
   ns.slashdot.net A 207.46.232.37

in an AXFR response to this server. It is essential for the server to
discard the glue A record; otherwise it will poison caches, because
caches trust ns.slashdot.net information from .net servers.

If IXFR relies on the server keeping this record, then IXFR is broken.
Furthermore, the IXFR protocol has an official status of Elective, and
my users have a better protocol (rsync), so I am not going to support
IXFR, and I object to IXFR-induced complications in the AXFR protocol.

> Records below cs.princeton.edu that were not present in
> the princeton.edu master file MUST NOT be transmitted,

My servers use a redesigned unified configuration-file format, different
from your master-file format. As I said, they automatically treat all
*.cs.princeton.edu records as non-authoritative records for the
princeton.edu zone, as a convenience for the system administrator.
Everything works.

You claim without justification that it is ``incorrect'' for the
princeton.edu zone to contain (e.g.) www.cs.princeton.edu records, even
though you say that www.aol.com records are okay. I don't see any
support for your views in the DNS specifications.

---Dan


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

v2.39.1 | Report a Bug | By Email | System Status