[RRG] Re: TRRP's micronet length specification?

["William Herrin" <bill@herrin.us>]

On Mon, Feb 25, 2008 at 4:07 AM, Robin Whittle <rw@firstpr.com.au> wrote:
>  It has been a while since I read your TRRP material, but I thought,
>  perhaps incorrectly, that when the ITR queries the authoritative
>  nameserver about some IP address X, it gets a response not just for
>  X, but for the entire micronet of which X is a part.  (That micronet
>  could just be for X, but for the purposes of this discussion, I am
>  assuming it covers 2, 4 . . 256, 512 etc. addresses as a prefix.)

Hi Robin,

TRRP returns information about the single EID IP address that the ITR
is dealing with. The optional Netmask (NM) and Zone Transfer (ZT)
features allow the ITR to expand that knowledge to cover a whole CIDR
block if it finds that it is dealing with more than one included IP
address.

The reason TRRP doesn't immediately act on netmask information
contained in the EID response is that the ITR can't authenticate the
netmask without an additional query. This lesson was learned from a
Bind "cache poisoning" problem in the late '90s where a hacker's DNS
server would return "additional" records for which it was not
authoritative and the caching resolver would accept those records
uncritically.

Regards,
Bill Herrin

-- 
William D. Herrin                  herrin@dirtside.com  bill@herrin.us
3005 Crane Dr.                        Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg