This is a discussion on Re: correction! Re: The math of RFC3833.2.2-spoofing a randomisingsource port resolver - DNS ; Paul Vixie wrote: >>>i'm comfortable with that approach, although i think it's safe to use >>>it as glue for any NS RR, >> >>It is unsafe, because, 126.96.36.199 will give you forged answer for other >>queries to ns.example2.com. > when ...
Paul Vixie wrote:
>>>i'm comfortable with that approach, although i think it's safe to use
>>>it as glue for any NS RR,
>>It is unsafe, because, 188.8.131.52 will give you forged answer for other
>>queries to ns.example2.com.
> when we last discussed this, i said that no nameserver should hand out
> glue for zones outside its apex, and that if it does hand out such glue
> then it ought not be believed.
As long as glue is used as glue and no other purposes, which is
necessary now, there is no point to avoid any glue information.
> my position hasn't changed. has yours?
You should change your posision now.
BTW, the following senario seemingly require handling of additional
As so that "apex" is not a meaningful concept.
1) an attacker ask a victim nameserver NS of example.com.
2) the attacker repeatedly ask a victim nameserver MX of
3) the victim nameserver forward the question to NS of
4) the attacker guess ID and gives false answers with source
address of NS of example.com:
.example.com MX 0 www.example.com
with a additional record of
That is, except for glue-A, an additional record should be accepted only
if its name exactly matches the query name.
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.