bind qname minimization thoughts
Tony Finch
dot at dotat.at
Tue May 28 11:46:11 UTC 2019
Daniel Stirnimann <daniel.stirnimann at switch.ch> wrote:
>
> I would like BIND to also more gracefully handle qmin errors. This could
> mean changing the to the query type A (See attached patch for BIND
> 9.14.2) or disabling qmin on errors.
I tend to think that making A queries instead of NS is the best way to
reduce the complexity of workarounds for interop problems.
The idea of using NS queries for qmin is partly my fault
(https://mailarchive.ietf.org/arch/msg/dns-privacy/gAgGx9Zz6W0OfyRdJ0Rx7xxmHDg)
I was trying to start a discussion with a starting point that minimizes
information leakage, in particular it tries not to leak the query type.
But this algorithm vigorously exposes lame delegations that do not
normally cause failures in normal resolution (though a malicious client
could cause the same resolution failures by making NS queries). A queries
don't do this because they don't cause broken apex NS RRsets to evict
working delegation NS RRsets (RFC 2181 ranking).
I kind of expected more discussion about interop problems while RFC 7816
was in the works, or while implementations were in the works - after all
the algorithm is an example in a non-normative appendix to an experimental
RFC ...
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Humber, Thames: Northeast becoming variable 3 or 4, then south 4 or 5 later.
Slight occasionally moderate. Showers. Good.
More information about the bind-users
mailing list