davidb dives in
Archive
davidb dives in

Contents

internet draft ideas dns related

davidb
   324 words   2 minutes 
Contents

I’m at the IETF this week, and so I get to turn my brain to thinking about IETF-y things, like Internet Drafts that I think should (and could) be written.

Idea #1: Cache Poisoning Resilience

This would be a draft that describes steps beyond RFC 2181 that a resolver must do to protect itself from cache poisoning. (RFC 2181 addresses this problem by introducing credibility rules in section 5.4.1.) Modern caching resolvers need to do more to protect themselves from name poisoning attacks like malicious CNAME chains. I would expect this draft to be able to lay out a few simple rules like:

  • Discard any RRs in a response that are “irrelevant” (i.e., answer RRs that do not match qname/sname, addtional RRs that don’t match names in the RDATA of answer and authority RRs, etc.)
  • Discard any RRs in a response that are not at or below the queried zone.

Update: A draft similar to this was written in 2009 by my friend Wouter: draft-wijngaards-dnsext-resolver-side-mitigation-01. However, it doesn’t appear to address my suggested rules.

Idea #2: Authoritative Servers Should Not Chase CNAMEs

This is a draft discouraging authoritative servers from chasing CNAMEs out-of-zone (or, optionally, at all), based on conclusions presented in draft idea #1. This draft could either side-step or confront other possibly controversial things about CNAME processing, like whether or not the authority section should apply the head or the tail of a CNAME chain.

Idea #3: DNS Name Compression Standards

A draft mandating the DNS name compression only be done in one direction. Virtually all (or perhaps even actually all) implementations have DNS compression pointers only pointing to earlier in the message. This draft would propose that forward-pointing compression pointers should be treated as format errors. This would accomplish two things:

  1. Simplify what implementers need to support when parsing messages, and
  2. Outlaw any possibility of having to deal with a compression pointer loop.

And, in the process, effectively codify standard practice.

Updated on 2008-03-09
Back | Home