On 10 Apr 2017, at 11:29, Florian Weimer wrote:
On 04/07/2017 08:11 PM, Evan Hunt wrote:
Title: Address-specific DNS Name Redirection (ANAME)
I think the introduction should discuss why it is not possible to push
the CNAME to the parent zone, replacing the entire zone with an alias.
Why this is not possible seems obvious to me, but we’ll see what we
can write.
Section 3 is currently written in such a way that a recursive DNS
lookup must be performed at the authoritative server side. I don't
think it is necessary to require that. A recursive DNS lookup of the
target is just one way to implement this.
What other ways did you have in mind?
In particular, the suggested recursive DNS lookup needs some form of
distributed loop detection. Otherwise, a malicious customer could
publish two zones with ANAME records and achieve significant traffic
amplification, potentially taking down the DNS hoster. A hop count in
an EDNS option or an “ANAME lookup in progress” indicator would be
one way to implement this. Another approach would impose restrictions
on the owner name of an ANAME record and its target, and restrict
where CNAMEs can appear, so that a valid ANAME can never point to
another valid ANAME.
I’m not sure it’s feasible to forbid chaining ANAMEs. I do agree
there is a vector for DoS here. Section 6 currently cowardly says
“Both authoritative servers and resolvers that implement ANAME should
carefully check for loops and treat them as an error condition.” but I
am aware that more words are needed.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
