Home page logo
/

nanog logo nanog mailing list archives

Re: DOS attack against DNS?
From: Paul Vixie <paul () vix com>
Date: Sun, 15 Jan 2006 23:10:56 +0000


# > class "ANY" has no purpose in the real world, not even for debugging.  if
# > you see it in a query, you can assume malicious intent.  if you hear it in
# > a query, you can safely ignore that query, or at best, map it to class
# > "IN".
# 
#       er... i guess that is true, although the DNS does work for 
#       things other than IP based networks...  dispite our respective
#       best efforts to cripple it.

i'm not trying to cripple it.  i'm saying RFC 1034/1035 was wrong about class
"ANY".  all answer/authority/additional data where OP=QUERY and QR=1 will have
the same class as the QCLASS (of which, in spite of the QDCOUNT field, there
can be only one).  nodes do not have classes.  not even zones have classes.
each class has a hierarchy of NS RRs making a "namespace".  each class needs
its own root name servers.  there are less-coherent / more-useful ways to
interpret "the spec", and one such way could give meaning to class "ANY", but
no dns implementation i'm aware of follows those alternate interpretations.

since nanog isn't a protocol-fine-points mailing list, at least for the DNS
protocol, one could ask "why are we discussing this?" and my answer is, there
is an operational tie-in.  if you see QCLASS=ANY in a firewall, that is prima
facie evidence of malfeasance, not merely misconfiguration or
misinterpretation.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault