[RFCI-Discuss] wirralnews.com

Alex van den Bogaerdt alex at ergens.op.het.net
Sat Sep 8 10:57:26 EDT 2007 

On Sat, Sep 08, 2007 at 09:48:21AM -0400, Derek J. Balling wrote:

> Why does it have to do it this way?  Ponder the case where you're  
> looking for say "foo.somedomain.com", and somedomain.com's DNS records  
> aren't in sync between "server1" and "server2".... so you have to  
> traverse all possible DNS decision paths to get a full and complete  
> list of all "possibilities" of places you might end up querying

My point is: no, you don't.  All you need is one server which
gives the wrong answer.  You aren't interested, at all, in the
rest of the set of servers (if any).

I believe this will significantly reduce the load in many cases.
What you describe is the worst case scenario, where you happen to
visit all possible permutations until you end up by the one wrong
record on one of many servers.  This won't happen often. Especially
in the case where DNS is maliciously crippled, all servers will have
the same or at least a similar "problem".


I think I understand what you say about libresolv.  I also think
you are right in saying that this is their bug to fix. Nevertheless,
if DNS points to a server saying "ask this one", and if that server
does answer, and if that server returns "*.mx.*.", then it's a
listable offence IMHO.  You walked the tree, and you got the wrong
answer you were looking for.

In the case at hand, the server does not provide NS or SOA records.
However, it does claim there aren't any servers because it does
return, authoritatively, an empty set of NSes.  This will also
reduce the workload.  There's no need to try the other NS, as
the first one, to which is authority _*is*_ delegated, tells you
that you don't need to continue.


What can go wrong?

A misconfigured (by accident) domain may be listed for a while.
Still, it will only happen if the problem reported actually
exists on the misconfigured server.

What else can go wrong?

Remember: you don't need to prove that there are servers out there
which do it right, all you need to prove is that there is one server
doing wrong.

Alex

More information about the RFCI-Discuss mailing list