"Secure cache against pollution"

[wanted to know]

If you enable this setting, the DNS server will ignore
DNS resource records that come from servers that are not
authoritative for them.

How about the NS records for delegated domains, they are
not authoritative on the parent servers, so these records
will not be cached either, right?

 

[Ace Fekay [MVP]]

In

If you enable this setting, the DNS server will ignore
DNS resource records that come from servers that are not
authoritative for them.

How about the NS records for delegated domains, they are
not authoritative on the parent servers, so these records
will not be cached either, right?

I would assume they would get cached since the delegation is pretty much a
referral to the DNS server(s) that are authorative and the response would be
coming back from that DNS.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Herb Martin]

If you enable this setting, the DNS server will ignore
DNS resource records that come from servers that are not
authoritative for them.

How about the NS records for delegated domains, they are
not authoritative on the parent servers, so these records
will not be cached either, right?

It works.

So Ace is likely right to assume; I would presume this also.

One possibility exists thought that might (repeated: might) clarify this
point:

The NS records is in some sense an authoritative statement for the
CURRENT zone, which hands off that authority to a child DNS
server-zone.

Any A record is only listed IF that NS server has a name with the
current zone OR down the tree (which would be unreachable without
that delegation AND without that A record to find the authoritative
server.)

Note that if the NS record points to an ISP (or other server) OUTSIDE
the current zone/tree then that A records does NOT appear in the parent
zone -- it exists at the ISP, etc. zone.

 

[wanted to know]

Not really sure what you mean by saying "it works!" Did
you tested or verified it?

The same situation will be true for the CNAME records, as
you DIG, you don't get an AA back.

One should be able to verify this in a lab setup...

 

[Jonathan de Boyne Pollard]

w> How about the NS records for delegated domains, they are
w> not authoritative on the parent servers, so these records
w> will not be cached either, right?

The AA bit in DNS response datagrams is a vestigal part of the DNS
protocol that was the result of a flawed model of DNS operation that
was mistakenly initially adopted. It's irrelevant to the prevention of
cache poisoning.

Cache poison avoidance is implemented by the simple expedient of
ignoring (except for the purpose of determining the form of the
response) any data in a response that are not within the bailiwick of
the content DNS server being queried.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-server-bailiwick.html>

In essence, the only content DNS servers that will be believed when they
publish data about "www.example.com." are the "www.example.com.", the
"example.com.", the "com.", and the "." content DNS servers. (And, moreover,
there is no order of precedence amongst those sets of servers.)

<URL:http://cr.yp.to/djbdns/notes.html#poison>