To:
bert hubert <ahu@ds9a.nl>
CC:
dnsop@cafax.se
From:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date:
Fri, 07 Nov 2003 16:42:31 +0900
In-Reply-To:
<20031107071520.GA20568@outpost.ds9a.nl>
Sender:
owner-dnsop@cafax.se
User-Agent:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
Subject:
Re: preventing cache contamination
bert hubert; >>I'm saying answer should be stored in cache for latter use, only >>if the same answer is obtained multiple times with independent >>IDs. > > > Ah - so you just ask a question multiple times with different id and source > port, making it exponentially harder to spoof an answer. No, though it is a protection on end systems. To prevent cache contamination, it is enough that caching server caches information only if there are more than one query. > Sure, that would > work Thanks. Anyone else with other opinion? > but it doubles the load on authoritative nameservers. Not necessarily. That is, as for caching servers, some questions are asked only once that there is no duplicated query generated. Anyway, does anyone mind? Note that the traffic should be a lot less than that for secure DNS. >>That is, with >> >> hpcl.titech.ac.jp. NS foo.bar >> foo.bar. A 131.112.32.132 > > > Say a question originally arrived for www.hpcl.titech.ac.jp, and > pdns_recursor already had "titech.ac.jp NS your-nameserver", pdns_recursor > only accepts answers within or above titech.ac.jp. Foo.bar is immediately > rejected, as it does not end on titech.ac.jp. Are you saying nameservers "[a-m].gtld-servers.net." for "com." are rejected? > I think DJB does something smarter and accepts the glue *only* for this > question. That's unnecessarily inefficient. Masataka Ohta #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.