|
Re: DNS Query Format
2005-03-24 11:24:10
David MacQuigg wrote:
It has been mentioned that the %{i} macro could be included in the
query, and then the server could reply with PASS/FAIL. I think this
is a bad idea, because all those queries are uncacheable, so this
truly circumvents the benefits that were designed into DNS. When the
DDOS attempt does happen, caching can really help lower the impact.
It may be that I didn't understand the proposal well enough.
Good point. I hadn't thought of that. Also, since the PASS/FAIL
response takes the same single IP datagram as a list of IPs, there is
not much to be gained.
One more thought on this topic: Even though we see no advantage now in
having a DNS server reply with a PASS/FAIL, would it be a good idea to
include the IP address in the DNS query anyway? That will add a
negligible 4 bytes to the query, and will allow for some future use of
this information. This might be, for example, a daemon that alerts a
domain owner when an IP in their domain attempts an unauthorized use of
the domain name. ( A zombie catcher !! )
AFAIK, the ns_resolve takes only two useful parameters: a record type
and an ascii host name. I don't see how you could include an IP in the
query other than concatenating it to the host name. At that point, it
just becomes a unique host name (ie, uncacheable). Here's how the
resolver function is defined:
"
int res_query(const char *dname, int class, int type,
unsigned char *answer, int anslen);
The res_query() function queries the name server for the fully-quali-
fied domain name name of specified type and class. The reply is left
in the buffer answer of length anslen supplied by the caller.
"
I raise this question now, because it will be a lot easier to modify the
standard now than later.
I full-heartedly agree! Until SPF becomes a standard, this is the time
to refine it. Besides, depending on how serious the remaining problems
are, the IETF might send it back to be fixed before considered for
standard status. That would just be a waste of time, and a loss of
credibility to the IETF.
Radu.
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- RE: Standard Authentication Query, (continued)
- Softfail (was: Standard Authentication Query), Frank Ellermann
- Re: Standard Authentication Query, Mark Shewmaker
- Re: Standard Authentication Query, David MacQuigg
- Re: Standard Authentication Query, william(at)elan.net
- Re: Standard Authentication Query, David MacQuigg
- Re: Standard Authentication Query, Radu Hociung
- Re: Standard Authentication Query, Mark Shewmaker
- Re: DNS Query Format,
Radu Hociung <=
- Re: DNS Query Format, David MacQuigg
- Re: Re: DNS load research, Radu Hociung
- short circuiting evaluation, Andy Bakun
- Re: short circuiting evaluation, Radu Hociung
- Re: short circuiting evaluation, Andy Bakun
- Re: short circuiting evaluation, Radu Hociung
- Re: short circuiting evaluation, Andy Bakun
- Re: short circuiting evaluation, Radu Hociung
- Re: Re: DNS load research, Stuart D. Gathman
- Re: Re: DNS load research, Radu Hociung
|
|
|