[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Poison in a zone

To: "D. J. Bernstein" <djb@cr.yp.to>
Subject: Re: Poison in a zone
From: gson@nominum.com (Andreas Gustafsson)
Date: Mon, 24 Feb 2003 20:50:18 -0800 (PST)
Cc: iesg@ietf.org, namedroppers@ops.ietf.org
In-reply-to: <20030225005042.72047.qmail@cr.yp.to>
References: <20030223091513.85299.qmail@cr.yp.to><200302232128.h1NLS74U020848@drugs.dv.isc.org><20030224001809.72005.qmail@cr.yp.to><200302240239.h1O2dAh00524@guava.araneus.fi><20030224040021.47335.qmail@cr.yp.to><200302242340.h1ONeur00731@guava.araneus.fi><20030225005042.72047.qmail@cr.yp.to>

D. J. Bernstein writes:
> But now Gustafsson admits that the BIND 9 AXFR client doesn't follow
> the ``zone coherency'' religion. It deliberately discards some kinds of
> records! It isn't making a perfect copy of the zone! It's breaking IXFR!

BIND 9 is doing what you yourself said it "must" do.

This does not by itself break IXFR.  In theory, IXFR can break when
the zone transfer graph contains both servers that fully support
out-of-zone glue and servers that do not, but in practice no servers
support out-of-zone glue and the problem does not occur.  This is of
course another argument for completely outlawing out-of-zone glue in
both masters and slaves as you already suggested doing for security
reasons.  Mandating support for out-of-zone glue everywhere would also
work, but outlawing it does seem like the more realistic approach.

In practice, IXFR failures are likely to be caused by inconsistencies
in-domain glue, not out-of-domain glue, and the in-domain case is what
section 4 is primarily trying to address.
-- 
Andreas Gustafsson, gson@nominum.com

Follow-Ups:
- Re: Poison in a zone
  - From: Len Budney <lbudney@pobox.com>

References:
- update timing errors
  - From: "D. J. Bernstein" <djb@cr.yp.to>
- Re: update timing errors
  - From: Mark.Andrews@isc.org
- Re: update timing errors
  - From: "D. J. Bernstein" <djb@cr.yp.to>
- Poison in a zone
  - From: gson@nominum.com (Andreas Gustafsson)
- Re: Poison in a zone
  - From: "D. J. Bernstein" <djb@cr.yp.to>
- Re: Poison in a zone
  - From: gson@nominum.com (Andreas Gustafsson)
- Re: Poison in a zone
  - From: "D. J. Bernstein" <djb@cr.yp.to>

Prev by Date: Re: Last Call: IANA Considerations for RADIUS to Proposed Standard
Next by Date: Re: "Stuckees?"
Previous by thread: Re: Poison in a zone
Next by thread: Re: Poison in a zone
Index(es):
- Date
- Thread