Additional Section Cache Without Consulting Authoritative Data - Why?
Sabahattin Gucukoglu
mail at sabahattin-gucukoglu.com
Thu Jul 24 05:04:28 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Kevin,
On 23 Jul 2008 at 20:26, Kevin Darcy <kcd at chrysler.com> said:
> Sabahattin Gucukoglu wrote:
> > How is this proper? I observe Bind 9 doing it, and a quick rifle of RFC
> > 1034-5 says that additional section data provided for crossing a zone cut
> > is, without doubt, not authoritative.
> RFC 2181 is the more modern reference, as far as "ranking data" is
> concerned. See Section 5.4.1 of that RFC.
Cool! Thanks. But this only seems to confirm that the problem actually
exists, since the additional section is the most "Mistrusted" data
available for use according to that list and, indeed, the spirit of
Additional data in 1034-5. And anyway, there's this smoking gun:
| Unauthenticated RRs received and cached from the least trustworthy of
| those groupings, that is data from the additional data section, and
| data from the authority section of a non-authoritative answer, should
| not be cached in such a way that they would ever be returned as
| answers to a received query. They may be returned as additional
| information where appropriate. Ignoring this would allow the
| trustworthiness of relatively untrustworthy data to be increased
| without cause or excuse.
In other words, don't ever trust the additional data to actually be useful
for any purpose other than the very one for which it can not fail to be
used or useful: delegation.
If I wrote a DNS server, I wouldn't even bother to cache it. Why should
I? It's only a bootstrap - it loses its usefullness as soon as I've got
what I want out of the next hop nameserver, which may well be the address
of that nameserver from that nameserver. That's a result I *can* keep,
usefully. Stuff the next-door neighbour - he can do as I did, unless I
happened to need that nameserver's address while recursing myself (I.E.
while actually needing the authoritative address of a host listed in the
NS records at a delegation or in response to an actual query I get), in
which case I'll be so good as to pass the information along in case he's
in the same situation. Only then, though, as handing over stray data is
kind of defeating the non-caching role. And if I am on a mission to
recurse for others, I care about trustworthy results, so I'll keep chasing
till I get what I want out of an authoritative server, including every
single authoritative response, just as though no glue were involved.
Last but not least, though,
host -v -t a bloodstone.sabahattin-gucukoglu.com
against a BIND 9 cache that hasn't seen a query for Bloodstone in a bit
returns the result from the parent (in this case, the .com) zone rather
than the authoritative response. That is to say, it actually violates the
above paragraph explicitly. It isn't alone though, so I am probably
missing something pretty large in all this.
Cheers,
Sabahattin
- --
Sabahattin Gucukoglu <mail<at>sabahattin<dash>gucukoglu<dot>com>
Address harvesters, snag this: feedme at yamta.org
Phone: +44 20 88008915
Mobile: +44 7986 053399
http://sabahattin-gucukoglu.com/
-----BEGIN PGP SIGNATURE-----
Version: PGP 8
Comment: QDPGP - http://community.wow.net/grt/qdpgp.html
iQA/AwUBSIgNXSNEOmEWtR2TEQIAQACfXDHaTjjGPun7LqvaYOUq2ezXqLcAoM1Z
dRfNsXUAyQqFR3gq2XQLzGnS
=rKF0
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list