[bind10-dev] should b10-auth return CNAME chain?
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Mon Jan 24 23:30:48 UTC 2011
At Tue, 25 Jan 2011 09:11:34 +1100,
Mark Andrews <marka at isc.org> wrote:
> > If the CNAME and the A are in the same zone, how can you call it
> > poisoning? If someone has control of the zone, what you get is what you
> > get. I do agree that is could be better to not complete the chain when
> > it is out of zone.
>
> e.g.
>
> bar.example.net CNAME foo.example.net
> foo.example.net A 1.2.3.4
>
> zone "foo.example.net" {
> type forward;
> masters { .... };
Do you mean s/forward/slave/? Or s/masters/forwarders/?
> };
>
> The cache has no way to know that bar.example.net and foo.example.net are
> in the same zone sans DNSSEC.
In any case, I think the point is that it wouldn't matter whether this
server returns both CNAME + A or CNAME only. Even if it only returns
CNAME, the recursive server needs to ask that server for
"foo.example.net" again, and if this server is
misconfigured/broken/malicious, the recursive server will be confused
or poisoned in the end. Of course, if "example.com" has other
authoritative servers with a valid configuration, the recursive server
may be able to get the correct answer if it's lucky. So the situation
is not exactly the same. But, if the argument for stopping the chain
(in the "in baliwick" case) is:
- to *reduce* the probability of accidental poisoning
- when the authoritative server is misconfigured
- and when there's a validly configured server of the original ZONE
that does not sound like very convincing to me. (Not necessarily to
say stopping CNAME is a bad idea per se).
---
JINMEI, Tatuya
More information about the bind10-dev
mailing list