At Fri, 29 Aug 2008 22:44:35 +0100, wrote:

> > but for that purpose we can actually simply fetch the authoritative
> > NS RRset directly; then the trust ranking concept of RFC2181 will
> > protect us from further attacks.

> The problem as I saw it is that the real authoritative NS RRset (the one
> that's in the delegated zone) has to be fetched from an IP address which
> is learnt from DNS requests which are less credible (per RFC2181 rules).
> Or, to put it another way, you're suggesting that we believe 5th tier
> information ("glue from a primary zone") to get 3rd tier information
> ("authoritative data included in the answer section of an authoritative
> reply").

Right, but that part is established by "identifying intermediate NSes"
(quoting my previous message) and "I thought our 'best current
practice' (i.e., randomized QID + source port (+ perhaps source IP
address (+ perhaps 'traditional' 0x20))) already provided reasonable
security" (ditto). Note that the available window for the attacker is
very limited (generally, just once per TTL) because we'd trigger the
confirmation query if we detect an update attempt with different

Again, I understand the additional nonce makes this process even
securer. My question is whether the benefit outweighs its cost.

JINMEI, Tatuya
Internet Systems Consortium, Inc.

to unsubscribe send a message to with
the word 'unsubscribe' in a single line as the message text body.