[prev in list] [next in list] [prev in thread] [next in thread] 

List:       namedroppers
Subject:    Re: Is this a possible DoS scenario within DNSSEC ?
From:       Roy Arends <roy () nlnetlabs ! nl>
Date:       2000-07-26 15:19:44
[Download RAW message or body]

On Wed, 26 Jul 2000, Edward Lewis wrote:

> At 8:10 AM -0400 7/25/00, Roy Arends wrote:
> >A SIG record covers RR Sets. Consider a caching server (not secured),
> >which has cached the following:
> ...
> >The SIG above validates the two NS records. At one point the cache
> >gets spoofed with for instance:
> >
> >example.org.  NS  very.ugly.org.
> >
> >Upon a query for these records, the cache server will respond with all 3
> >NS records and the SIG record.
> ...
> >
> >Is this a possible scenario ?
> 
> I think this scenario is incorrect.  If a cache (secured or not) has data
> for a name/type/class and receives different data for the same triplet, the
> cache is supposed to retain one and drop the other.
> 
> Caches are not supposed to merge data.  The clarify RFC explicitly states
> this.  Any caching server merging data is in violation of the spec.

Yes, you are correct. RFC 2181 sec 5.4 and 5.3.1 explicitly states this.
Thank you for pointing this out.

Roy Arends
NLnet Labs




to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

[prev in list] [next in list] [prev in thread] [next in thread]