This is a discussion on Re: nonce label prefix (was Re: More 0x20 craziness) - DNS ; At Fri, 29 Aug 2008 20:17:29 +0200, "Roy Arends" wrote: > During resolution, prepend a label with a nonce to the query. The query > would look like . www.example.com . Each request has a unique nonce, > a nonce ...
At Fri, 29 Aug 2008 20:17:29 +0200,
> During resolution, prepend a label with a nonce to the query. The query
> would look like
.www.example.com. Each request has a unique nonce,
> a nonce is never re-used.
> This continues until an authoritative answer is received (either NXDOMAIN,
> wildcard, CNAME, DNAME, anything that either terminates or restarts the
> resolution process). That authoritative answer comes most likely from a
> server that is authoritative for the www.example.com domain. (most likely,
> since in theory, the
.www.example.com name could be delegated from
> the www.example.com domain, which is most unlikely, as that would suggest
> delegation point wildcard NS RRSets).
> Anyway, we now have an address of a nameserver that is authoritative for
> We could send it a priming query for the authoritative nameservers (Wouter
> Wijngaards idea).
> In any case, we can now send it a query for www.example.com.
One thing I've puzzled about regarding this type of approach is its
cost-benefit tradeoff. If we can only use it in identifying
intermediate NSes, I thought our 'best current practice' (i.e.,
randomized QID + source port (+ perhaps source IP address (+ perhaps
'traditional' 0x20))) already provided reasonable security. We could
also use this to confirm possible change of already cached NS as
seemingly indicated in this thread, but for that purpose we can
actually simply fetch the authoritative NS RRset directly; then the
trust ranking concept of RFC2181 will protect us from further attacks.
Of course, the
or makes the transaction even securer,
so if we can get it free, that would be wonderful; but it actually
comes with a cost, including more queries that are redundant
otherwise, handling miscellaneous corner cases or non compliant
authoritative servers, run-time cost including getting additional
entropy, and of course implementation cost (which is probably minor,
So far, the tradeoff is not so obvious to me (indeed, it seems to me
the known benefit isn't worth the cost), but as no one else seems to
have the same doubt, am I missing something fundamental, or does the
benefit so obviously outweigh the cost for others?
Internet Systems Consortium, Inc.
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.