North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Great Suggestion for the DNS problem...?
On 2008/07/28 09:52 PM Jay R. Ashworth wrote:
On Mon, Jul 28, 2008 at 12:35:30PM -0700, Tomas L. Byrnes wrote:As you pointed out, the protocol, if properly implemented, addresses
Yes it should work. In fact, why *don't* implementations discard authoritative responses from non-authoritative hosts? Or do we? Or am I horribly wrong?
There's an argument that IP spoofing can easily derail this, but I'd shift that argument higher up the OSI, blame TCP, and move on to recommending SYN cookies. Even if forged though, if the forged IP returns NS authority glue that doesn't match the source, the lookup still fails.
DNSSEC kinda does this verification though, just more complicatedly and more reliant on administrative cooperation, and I've never met a DNS person who is cooperative ;)
My suggestion though was more of replacing NS -> A -> IP with NS -> IP
That is just a brain fart though.
My 0.00264050803375 cents (at current exchange rates).