The byzantine convolutions of RFC 2317-style delegation
Pete Ehlke
pde at ehlke.net
Fri Aug 6 22:49:28 UTC 2004
On Fri Aug 06, 2004 at 16:43:28 +0000, Jonathan de Boyne Pollard wrote:
>SH> In the zone 12.12.12.in-addr.arpa, there must be a pointer which
>SH> delegates the record to your nameserver :
>SH> 128 PTR 128.128-255.12.12.12.in-addr.arpa.
>
>No. In RFC 2317-style delegation there should be a *client-side alias*
>that re-maps the original name to one with the extra "128-255" label in
>it, and a *delegation* of "128-255.12.12.12.in-addr.arpa.". A "PTR"
>resource record is exactly what there *shouldn't* be.
>
>SH> There is actually an RFC for doing just this, but it's number
>escapes me.
>
>That's probably a good thing. You should thank your lucky stars. (-:
>
><URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/avoid-rfc-2317-delegation.html>
Note that as has been pointed out again and again on this list, Mr.
Pollard's scheme leaks namespace and is, in fact, a blueprint for how to
engage in cache poisoning. Please do not follow his examples- they
provide no discernable benefit over the standard method of doing this,
and in fact inject harm, breaking some resolvers that erroneously
believe bogus authority claims.
If rfc2317 itself is confusing to you, there is a fairly simple summary at
http://www.acmebw.com/askmrdns/archive.php?category=81&question=579
Or contact me off-list and I'd be happy to help you out.
-Pete
More information about the bind-users
mailing list