Re: draft-ietf-dnsext-forgery-resilience-01.txt

[Mark Andrews <Mark_Andrews@isc.org>]

> On Mon, Nov 12, 2007 at 06:15:07PM +0100, Shane Kerr wrote:
> 
> > The only time you have an actual clash is when you have a duplicate ID+sour
> ce
> > IP+source port+destination IP+destination port for a UDP query, because the
> n the
> > resolver has no way to disambiguate the replies it gets.
> 
> Even more - "source ip, source port, destination ip, destination port, id,
> qname, qtype" - these all have to match.

	But not in the error reply space.  The client has to handle
	just getting back the 12 octet DNS header for NOTIMP,
	FORMERR, SERVFAIL etc.  Good answers (includes NXDOMAIN)
	to queries contain the qname and qtype.

	It also has to handle delayed error replies, duplicate error
	replies (possibly due to duplicate queries), etc.
 
> Authoritative servers do not look at the id of questions they get, except to
> copy them to the answer. 

	Recursive servers do duplicate query suppression.  Remember there
	are often chains of recursive servers.

> So duplicate query-IDs are only a problem for the resolver emitting them,
> which will then have trouble disambiguating replies - iow, it is buggy.
> 
> 	Bert
> 
> -- 
> http://www.PowerDNS.com      Open source, database driven DNS Software 
> http://netherlabs.nl              Open and Closed source services
> 
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>