[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security comments re draft-ietf-dnsext-unknown-rrs-00.txt

To: Dennis Glatting <dennis.glatting@software-munitions.com>
Subject: Re: Security comments re draft-ietf-dnsext-unknown-rrs-00.txt
From: gson@nominum.com (Andreas Gustafsson)
Date: Sat, 16 Dec 2000 19:53:25 -0800 (PST)
Cc: Andreas Gustafsson <gson@nominum.com>, namedroppers@ops.ietf.org
Delivery-date: Sun, 17 Dec 2000 08:27:16 -0800
Envelope-to: namedroppers-data@psg.com

> An unknown RR could be an A6. If a server doesn't understand an A6
> then its cache can be poisoned and the resolution process impacted.
> Additionally, we cannot predict what future RR types will have on the
> resolution process.

Unknown types are no more prone to poisoning than known types are.
The anti-poisoning logic used by modern DNS servers is not based on
examining the contents of the RRs.

> Yet the draft implies, assuming I am interpreting Section 3 correctly,
> a DNS content firewall is to ignore the data and pass it on. In that
> case, the draft says: DNS content firewall are non-compliant.

Yes, that's what it says.  I'm not sure that's a problem - you could
argue that any firewall system is non-compliant by definition because
its very purpose is to sometimes fail to provide the services defined
by the protocols being filtered.  If necessary, the text of the draft
could be changed explicitly make firewalls compliant, for example by
changing "must handle transparently" into "must be capable of handling
transparently".
-- 
Andreas Gustafsson, gson@nominum.com


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Prev by Date: Re: Security comments re draft-ietf-dnsext-unknown-rrs-00.txt
Next by Date: Re: DNSEXT WG Last Call: Message Size
Prev by thread: Re: Security comments re draft-ietf-dnsext-unknown-rrs-00.txt
Next by thread: Large Zone and DNSSEC
Index(es):
- Date
- Thread