On 28 Sep 2015, at 6:53, Benoit Claise wrote:
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
Malicious third
parties might be able to observe that traffic on the network between
the recursive resolver and one or more of the DNS roots
....
The primary goals of this design is to provide faster negative
responses to stub resolver queries that contain junk queries, and to
prevent queries and responses from being visible on the network.
I've been wondering. So this mechanism is basically to speed up junk
queries.
What can a malicious third party do by observing junk queries.
Nothing, I
guess.
Actually, seeing junk queries can leak some valuable information. For
example, imagine that some malware sends junk queries for a known name;
seeing that can be valuable information for someone watching the stream
of requests. There are some companies whose business model include
watching cache misses in recursive resolvers for interesting patterns.
I guess you want something like.
OLD:
The primary goals of this design is to provide faster negative
responses to stub resolver queries that contain junk queries, and to
prevent queries and responses from being visible on the network.
NEW:
The primary goals of this design is to provide faster negative
responses to stub resolver queries that contain junk queries, and to
prevent valid queries and responses from being visible on the
network.
Given the above, we would like to leave the text as-is because some
recursive operators care about exposure of bad queries as well.
--Paul Hoffman and Warren Kumari
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop