Re: Dropping denial of existence of wildcard

[Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>]

>   1. A NXDOMAIN could be spoofed for names for which a wildcard
>      expansion is possible

One consequence of this case is that if the resolver is walking down a
search path, a spoofed NXDOMAIN may result in unexpected behavior
(falling back to second-choice names).

This particular case seems pretty implausible -- if I knew that
*.example.com existed I'd likely not put example.com anywhere but the
last spot in the search path.

Seems slightly less implausible if the search involves a multi-label
name.. for example, looking up "a.b" with a search path including
example.com and example.net in that order; if *.b.example.com exists
but a NXDOMAIN is spoofed it may unexpectedly fall back to resolving
a.b.example.net

Also, what about the case where a.b.example.com exists but doesn't
have an RR of the appropriate type, but there's a covering wildcard
with that RR type?



						- Bill

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>