Re: DNS Speculation

["Dominique Brezinski" <dominique.brezinski () gmail com>]

On Tue, Jul 22, 2008 at 10:27 AM, natron <shiftnato () gmail com> wrote:
> I assume that mucking with ns.google.com's ability to update
> *.google.com records on the fly would probably negatively impact large
> organizations current DNS architectures, where they probably rely on
> this for redundancy and load balancing.
>
> Nathan

Your assumption is absolutely correct. The name servers that are
authoritative for a domain need to be able to update and change the
records for the domain at any time. Think about the case where a
network re-architecture needs to be completed, or there is a massive
failure that needs a readdressing to fix, etc. I worked on the
security engineering team at amazon.com through the 2000 DDoS attacks
as well as numerous other attacks and non-security failures. There
were a couple times where pushing DNS changes, including changing the
location of primary and secondary name servers, was a completely valid
and necessary action to fix a problem.

I am not trying to be condescending, but all this talk about the
validity of caching additional RR fields is bogus. Of course a caching
server should give precedence to additional RR entries provided by the
authoritative source over those in the cache. Think about responding
to a cache poisoning attack...you sure want your valid, authoritative
responses to supersede the poisoned cache entries! The cache logic as
implemented is fine; it is identification and authorization of who is
authoritative for a domain that is the issue. I am not a fan of DNSSEC
as implemented, but identification and authorization is why people
like Paul Vixie push it. As noted in the thread, adding source port
randomization increases the number of unique bits used to identify and
authorize a response as valid.

Dom
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave