Re: Trustworthiness rules

[David Blacka <davidb@verisignlabs.com>]

On Nov 28, 2006, at 7:45 PM, Andreas Gustafsson wrote:

> Edward Lewis wrote:
> > Cache poisoning was "solved" by the trustworthiness rules and other
> > clean up in RFC 2181.  Cache poisoning is still a vulnerability but
> > much harder and less effective if the caches in the pipeline all
> > implement RFC 2181 rules cleanly.
>
> I agree that the cache poisoning problem has been solved, for most
> practical purposes, by caching servers implementing anti-poisoning
> rules.
>
> However, I must point out that the specific rules in RFC2181 are in
> fact not an effective defense against cache poisoning, and that the
> immunity against poisoning enjoyed by current caching servers stems
> from a completely different rule that is still not stated in any IETF
> document.
>
> There are several variations of this rule, but in its simplest form,
> it says that when a caching server queries the authoritative servers
> of a given domain, it must discard all response records whose owner
> name is outside that domain.

Yes!

And for this reason, authoritative servers shouldn't bother following  
CNAME chains outside the zone, since resolvers will just discard  
those records.

> IMO, not only do we need to put this rule in a standards document,
> but RFC2181 section 5.4.1 should go away.

It is useful to point out that caches should not promote additional  
section data to authority or answer sections, though.

--
David Blacka    <davidb@verisignlabs.com>
Sr. Engineer    VeriSign Applied Research


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>