To:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Cc:
dnsop@cafax.se
From:
bert hubert <ahu@ds9a.nl>
Date:
Fri, 7 Nov 2003 08:15:20 +0100
Content-Disposition:
inline
In-Reply-To:
<3FAB2C59.3040404@necom830.hpcl.titech.ac.jp>
Mail-Followup-To:
bert hubert <ahu@ds9a.nl>,Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, dnsop@cafax.se
Sender:
owner-dnsop@cafax.se
User-Agent:
Mutt/1.3.28i
Subject:
Re: preventing cache contamination
On Fri, Nov 07, 2003 at 02:23:37PM +0900, Masataka Ohta wrote: > It is a just enough protection against well known attack to > contaminate cache by glue A, which I confirmed to work about > 10 years ago. pdns_recursor simply rejects answers that are not in the zone of the NS that caused it to recurse to that nameserver. So: > That is, with > > hpcl.titech.ac.jp. NS foo.bar > foo.bar. A 131.112.32.132 Say a question originally arrived for www.hpcl.titech.ac.jp, and pdns_recursor already had "titech.ac.jp NS your-nameserver", pdns_recursor only accepts answers within or above titech.ac.jp. Foo.bar is immediately rejected, as it does not end on titech.ac.jp. Every once in a while this causes pdns to ask more questions than strictly necessary but it's still faster than most recursing nameservers. Run pdns_recursor in --trace mode to see it explain all its decisions. In this case, the glue is not necessary and hence not accepted. I think DJB does something smarter and accepts the glue *only* for this question. > I'm saying answer should be stored in cache for latter use, only > if the same answer is obtained multiple times with independent > IDs. Ah - so you just ask a question multiple times with different id and source port, making it exponentially harder to spoof an answer. Sure, that would work but it doubles the load on authoritative nameservers. Bert. -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.