cTLD and DNS upgrade

Brad Knowles brad at stop.mail-abuse.org
Wed Jul 6 00:34:54 UTC 2005


At 5:34 PM +0200 2005-07-05, Peter Dambier wrote:

>  I could reproduce it easyly:
>
>  001   For every domain (X) in the root zone
>  002
>  003      "dig (X) +nssearch"
>  004
>  005   Done

	This is a description of how you found the problem.  This is not 
a description of any sort of test to prove that you found a solution 
that works to prevent all known types of attacks.  Heck, this isn't a 
description of any sort of test to prove that you found a solution 
that works on anything more than the accidental types of cache 
pollution that you encountered.

>  I dont think '#' is one of the allowed charaters in the first place and
>  I dont know how the convinced Bind to accept it.

	It's a perfectly valid character as part of a domain name.  Try 
reading the RFCs.  Labels in domain names are explicitly allowed to 
be 8-bit binary data, although there are strong recommendations to 
limit them to the standard syntax for host naming conventions (e.g., 
RFC 1025 section 2.3.1, although I'm sure that this has been updated 
or perhaps even obsoleted by later RFCs).

	Of course, it's not a valid character as part of a hostname, but 
that doesn't prevent BIND from accepting any US-ASCII character as 
being technically valid.

>  My root-servers were never overwritten again nor did I need them
>  except for copying. :)

	And my elephant spray has been 100% effective at keeping 
elephants from entering my house in Belgium.

	What's your point?



	Before you can recommend a particular practice to people, you 
have to have some pretty strong evidence that the practice you're 
proposing is correct, and you should also have some reasonable 
explanations for why.

	You haven't done any of these things.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the bind-users mailing list