[106422] in North American Network Operators' Group
Re: Great Suggestion for the DNS problem...?
daemon@ATHENA.MIT.EDU (Colin Alston)
Mon Jul 28 15:20:03 2008
Date: Mon, 28 Jul 2008 21:19:39 +0200
From: Colin Alston <karnaugh@karnaugh.za.net>
To: "Jay R. Ashworth" <jra@baylink.com>
In-Reply-To: <20080728190541.GG15946@cgi.jachomes.com>
X-MailScanner-From: karnaugh@karnaugh.za.net
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On 2008/07/28 09:05 PM Jay R. Ashworth wrote:
> Is there any reason which I'm too far down the food chain to see why
> that's not a fantastic idea? Or at least, something inspired by it?
If NS records pointed to IP's instead of names then this problem might
not exist.
The root holds glue going up the chain, and you could reject
authoritative responses from IP's not listed as authoritative NS for
that zone.
Ie for karnaugh.za.net, net is looked up from root. Root IP addresses
are queried directly, so you know to ignore responses coming from
someone else. That gives you net (the same gtld, how convenient) and
authoritative IP response for its NS. So you look up za.net and get
correct glue and so on.
Actually, if glue were always served up the resolution chain then then
only crummy glueless delegations would be vulnerable.
Anyone feel like redesigning the DNS protocol? Anyone? No? :(
