This is a discussion on Re: conjoining dns-forgery-resilience with dns-0x20; also, rtt banding - DNS ; Date: Wed, 12 Mar 2008 14:06:10 +0000 From: Paul Vixie Message-ID: | 0x20 only contains one protocol change. | i don't think it's controversial, or You mean the protocol change? That is, requiring unchanged question section in the reply? That's ...
Date: Wed, 12 Mar 2008 14:06:10 +0000
From: Paul Vixie
| 0x20 only contains one protocol change.
| i don't think it's controversial, or
You mean the protocol change? That is, requiring unchanged question
section in the reply? That's fine, it's what I always kind of assumed
was required anyway.
But the way you're proposing on using that? While it is very clever,
even cute, it is also downright evil. The a==A stuff that's in the
DNS is truly annoying, it should never have been done (though I understand
why it was), and it would be nice to be able to make it go away at some
far distant future point of time.
Doing this case flipping trick, and actually having implementations use
it in the wild would mean we could never rid ourselves of that botch to
Further, this trick doesn't help at all for the single most important
DNS lookup that's ever done - the query for the root nameservers.
Manage to forge a reply to that one and none of the others matter.
If anything, by making others harder to forge replies for, but leaving
this one untouched, you'd be shifting attacks more in that direction,
which I don't think would be a useful result.
Last, it results in just plain ugly replies - in the context of AXFR
I saw some mention of name case preservation, and how label compression
can make a mess of this. I think it was marka who said that it's only
in the context of AXFR that anyone ever complains about this. I beg to
differ - this bugs me no end on ordinary queries, and you're proposing
making it worse...
Please put this trick in the "look ma, no hands" category - treat it as
something to marvel at, laugh at, and avoid like the plague.
ps: a better thing to be spending time on might be to redefine the DNS
packet format, and fix lots of the issues that we currently have that
are caused by this - I suspect it can be done in a way (kind of like EDNS0)
whereby the query format would appear compatible with basic old DNS, but
would signal advanced capability - once that's done, the reply can be
whatever will work best - this could fix multiple queries in one packet,
add as many ID bits as could ever be useful, and whatever else needs doing.
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.