On Thu, 26 Aug 2004, Mark Shewmaker wrote:
On Thu, 2004-08-26 at 07:22, william(at)elan.net wrote:
On Thu, 26 Aug 2004, Roger Moser wrote:
Shelby, again: The spammer cannot find out that there is a subdomain
user._spf.example.com. If your name server allows to find out the names of
the subdomains, then it is misconfigured and you should immediatley fix
it.
That is not quite so if you configure DNSSEC, since then you must allow for
transfer of entire zone (signed obviously) and this reveals all subdomains.
This has been one of the problems that maybe stopping wider use of DNSSEC.
What happens to dynamic lookups then?
Say you set up hashme.example.com to return hashes, so that a query to
variable.hashme.example.com returns a 4-byte hash of "variable"?
Would DNSSEC require that you allow zone transfers of all possible
values of "variable" for variable.hashme.example.com?
Dynamic lookups can not easily be supported with DNSSEC at least not the
last time I looked the RFCs. The recommended way around would be to have
each zone signed at the time you request it (dymanic signing, which as you
imagine would cause high cpu load and possible necessity for new hardware
device to be able to do it without impacting perfomance).
At the same time if you do have dymanic dns data, you already have some
problems today with clients that cache the results longer then what you
put in SOA (which would have to be very low value indeed). DNS is not the
best database system for dynamicly updated records that change often...
---
William Leibzon, Elan Networks:
mailto: william(_at_)elan(_dot_)net
Anti-Spam Research Work:
http://www.elan.net/~william/asrg/