The problems that RFC 2317-style delegation cause
Pete Ehlke
pde at ehlke.net
Fri Aug 6 22:50:39 UTC 2004
On Fri Aug 06, 2004 at 16:43:18 +0000, Jonathan de Boyne Pollard wrote:
>l> In testing this [...]
>
>... you've re-discovered that RFC 2317-style delegation breaks the
>features of many DNS softwares, including the convenience feature of
>"dig" that you are using here that allows one to perform reverse lookups
>easily without manually converting the IP address to the equivalent
>"in-addr.arpa." reverse lookup domain name.
>
Note that as has been pointed out again and again on this list, Mr.
Pollard's scheme leaks namespace and is, in fact, a blueprint for how to
engage in cache poisoning. Please do not follow his examples- they
provide no discernable benefit over the standard method of doing this,
and in fact inject harm, breaking some resolvers that erroneously
believe bogus authority claims.
If rfc2317 itself is confusing to you, there is a fairly simple summary at
http://www.acmebw.com/askmrdns/archive.php?category=81&question=579
Or contact me off-list and I'd be happy to help you out.
-Pete
More information about the bind-users
mailing list