Why forwarding is a Bad Thing
Brad Knowles
brad.knowles at skynet.be
Thu Mar 22 18:47:52 UTC 2001
At 6:21 PM +0000 3/22/01, Jim Reid wrote:
> The larger
> cache of the forwarded server can sometimes make lookups faster, but
> not enough to make a significant difference.
I disagree. If the query is one that would take a while to
resolve, you could cause a mail message to be deferred (because the
lookup doesn't resolve in time) instead of potentially being
delivered, and depending on what else happens on that server in what
order and at what time, a single deferral could potentially result in
the mail message not being retried again for several hours (or more).
While this may have a minimal impact when measured on the basis
of individual mail messages, taken as a whole across a multiple
million mail message per day volume, I think you could rapidly get
into some pretty significant numbers.
Imagine schemes that embezzle money by shaving the rounding of
numbers to the nearest penny. Numbers below 0.5 are obviously
rounded down, numbers above 0.5 are obviously rounded up, but numbers
that come out to exactly 0.5 are supposed to be either rounded up or
down depending on whether the associated integer portion is odd or
even.
Now, if you were to cause all numbers that are exactly 0.5 to be
rounded down, and the resulting half penny to be deposited in another
account somewhere, when you look at what happens with one individual
account, the amount of difference is likely to be minimal, if
measurable at all.
However, if you do this across the board for a company that has
tens of trillions of dollars of assets under management, and hundreds
of billions of dollars of turn over per day, you could very, very
quickly generate extremely large quantities of money by shaving these
"exactly 0.5" results.
Yes, there really are companies out there that have assets on
this kind of scale, and daily turnover on this kind of scale. If
you're interested, you may want to do some research on the big
investment banks.
Then ask yourself the question of what happens when one of these
investment banks is the holding agent for most of the bonds for a
country, when the country is unable to make payments on them -- does
the investment bank in question end up forcing the country to declare
bankruptcy?
It's a really scary proposition when a company can decide whether
or not to declare a major country to be in default, and it's even
more scary to be on the pointed end of that kind of a question when
you are working at one of the types of companies in question, and it
all comes down to you.
> BTW that remote cache makes things *far* less secure. You
> have no idea what's in it or where those RRs came from. If that cache
> gets poisoned, your forwarding server does too. Charming.
Given that BIND continues to be subject to cache poisoning
(although more recent versions are more resistant), I don't see any
way to avoid this problem at the level of individual name servers.
Moreover, I still haven't heard any arguments that I would take
as being over-riding for the value of having a single "consistent one
world view" of the DNS, and therefore the issue of propagating cache
poisoning is just something you have to live with in order to get
that consistency.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* */
/* Thanks to Phil Carmody <fatphil at asdf.org> for additional tweaks. */
/* */
/* Length: 434 bytes (excluding unnecessary newlines) */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
#define m(i)(x[i]^s[i+84])<<
unsigned char x[5],y,s[2048];main(n){for(read(0,x,5);read(0,s,n=2048);write(1,s
,n))if(s[y=s[13]%8+20]/16%4==1){int i=m(1)17^256+m(0)8,k=m(2)0,j=m(4)17^m(3)9^k
*2-k%8^8,a=0,c=26;for(s[y]-=16;--c;j*=2)a=a*2^i&1,i=i/2^j&1<<24;for(j=127;++j<n
;c=c>y)c+=y=i^i/8^i>>4^i>>12,i=i>>8^y<<17,a^=a>>14,y=a^a*8^a<<6,a=a>>8^y<<9,k=s
[j],k="7Wo~'G_\216"[k&7]+2^"cr3sfw6v;*k+>/n."[k>>4]*2^k*257/8,s[j]=k^(k&k*2&34)
*6^c+~y;}}
More information about the bind-users
mailing list