Re: [dnsext] draft-bellis-dnsext-dnsproxy-00

[Florian Weimer <fw@deneb.enyo.de>]

* Ray Bellis:

>> I've just submitted:
>> 
>>   http://tools.ietf.org/html/draft-bellis-dnsext-dnsproxy-00
>> 
>> "This document provides guidelines for the implementation of DNS 
> proxies, 
>> as found in broadband routers and other similar network devices."
>
> Does anyone have any feedback on this draft?

|   Also, whilst the EDNS0 specification allows for a buffer size of up
|   to 65536 octets, most common DNS server implementations do not
|   support a buffer size above 4096 octets.

65536?  Shouldn't it be 65535?

| 6.1.  Forgery Resilience

It is imperative that if the the response is cached, the packet is not
passed through unchanged, query ID and source ports MUST be
randomized.  This requires some work for TSIG queries (as described in
RFC 2845).

|   o  invalid compression pointers (i.e. those that run forward of the
|      current packet offset, or which don't point at the start of
|      another label).

Are these pointers really invalid?

Compression loops and compression references in places where actually
forbidden by the RFCs would be relevant examples, IMHO.

|   o  incorrect counts for the Question, Answer, Authority and
|      Additional Sections (although care should be taken where
|      truncation is a possibility).

This raises the question of trailing garbage in the UDP packet.  For
interoperability reasons, I think this has to be accepted.

I like the draft.  But I have to agree with Bert that it's a bit like
preaching to the choir.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>