Validating zones as a slave? (Fw: [DNSOP] I-D Action: draft-ietf-dnsop-root-loopback-04.txt)
Shane Kerr
shane at time-travellers.org
Wed Sep 16 10:13:42 UTC 2015
Tony,
On Tue, 15 Sep 2015 12:17:35 +0100
Tony Finch <dot at dotat.at> wrote:
> Shane Kerr <shane at time-travellers.org> wrote:
> >
> > I was looking at the latest revision of the root loopback draft and it
> > occurred to me that one possible issue is that the BIND 9
> > authoritative server here has some risk of downloading an invalid root
> > file.
> >
> > I realize that the chances are quite slim that any of the IP addresses
> > would ever provide anything other than the latest version of the root,
> > but it is not 100% impossible.
>
> If you are a stealth secondary then your zone transfers can be fairly
> trivially modified in transit.
Well... it can be done in several straightforward ways. I wouldn't say
it's "trivial", at least until script-kiddies can do it. :)
> > I wonder if it makes sense to add some sort of provision like this to
> > BIND 9? It seems like it could be generally useful for a slave server
> > to reject a zone from a master that fails DNSSEC validation.
>
> An alternative is to be a stealth master. Use a cron job to retransfer the
> zone with dig, run dnssec-verify, and if it works update named's copy of
> the zone. But this is fiddly to set up.
>
> My toy server uses Mark's trick of secondarying the root zone to an
> authoritative view, and having a static-stub root zone in the recursive
> view. If the zone gets corrupted in transit then validation will fail and
> recursive service will stop working.
Yes, this is the approach outlined in the draft that I referenced here.
The model does prevent incorrect answers from reaching clients, but as
you point out, validation failure means the service will stop working.
The problem with this is that if any of the places you are secondarying
from are able to deliver a bogus zone, then the system breaks. If BIND
would check the zone before accepting the new version then it could
try another master, and never present incorrect information.
No worries, I'll probably hack something together to implement this
outside of BIND, which is where it belongs anyway. :P
Cheers,
--
Shane
More information about the bind-workers
mailing list