Paul Vixie wrote:

>>>i'm comfortable with that approach, although i think it's safe to use
>>>it as glue for any NS RR,

>>
>>It is unsafe, because, 1.2.3.4 will give you forged answer for other
>>queries to ns.example2.com.


> when we last discussed this, i said that no nameserver should hand out
> glue for zones outside its apex, and that if it does hand out such glue
> then it ought not be believed.


As long as glue is used as glue and no other purposes, which is
necessary now, there is no point to avoid any glue information.

> my position hasn't changed. has yours?


You should change your posision now.

BTW, the following senario seemingly require handling of additional
As so that "apex" is not a meaningful concept.

1) an attacker ask a victim nameserver NS of example.com.

2) the attacker repeatedly ask a victim nameserver MX of
.example.com.

3) the victim nameserver forward the question to NS of
example.com

4) the attacker guess ID and gives false answers with source
address of NS of example.com:

.example.com MX 0 www.example.com

with a additional record of

www.example.com A

That is, except for glue-A, an additional record should be accepted only
if its name exactly matches the query name.

Masataka Ohta


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: