--On 21 October 2009 09:55:06 +0000 Florian Weimer <fweimer at bfk.de> wrote:
Ah. I think I now understand what you mean. Well yes they can do that, but they could do it anyway.There's an additional twist: If I have got a client device (not DNS proxy) which supports the proposed protocol, it will not work when I connect it to a network which uses a resolver that performs this type of spoofing, unless the spoofing resolver has specific support for this protocol. It's not "someone could do evil things and make it break", but "someone already does (perhaps evil) things, and it breaks".
Right, so if a spoofing resolver which does NXDOMAIN redirection but does not support this protocol (and hence returns bogus A records for domain.local.arpa along with everything else) receives a query from a client stack which supports the protocol, it could confuse the client stack by returning A records which don't support DNS query (e.g. a "sitefinder site"). That's easily remedied, and would be a good addition to the protocol. The first thing the client does is send a query to the candidate new nameserver (possibly with "Christmas tree" options, e.g. DO set and so forth), and check the reply looks sensible. If not, it doesn't use it. That way it doesn't use any server that makes things worse. The query could be an NS query for ".", but perhaps better a fixed records in .ARPA that does exist & is signed. -- Alex Bligh