DNS Attacks
Bruno Wolff III
bruno at wolff.to
Sat Jul 26 03:48:50 UTC 2008
On Fri, Jul 25, 2008 at 15:14:15 -0700,
John Cornelius <jc at hangarpilot.net> wrote:
>
>
> Bruno Wolff III wrote:
>> ------snip-----
>> Generally you mean the appropiate TLD servers as most newly registered
>> domains don't go into the root servers.
>>
>>
> Actually, I believe that they do but all that they do is provide a
> pointer to the appropriate name server for the domain. Perhaps that's
> what you meant but it didn't sound like it.
No. The root servers have NS records for the TLD servers (some of which may
be on the same hardware as some root servers) and the TLD servers have NS
records for domains commonly registered. (Some domains are registered at
even lower levels, such as is common in several country code TLDs.)
The NS records include the name that points to the server that is authoritative
for that domain. (Though the domain pointed to may delegate that authority to
yet another server.) Along with the NS records a server being queried will
return glue records with the IP addresses of the servers being pointed to.
(The design of DNS isn't that great and the IP addresses really should have
been used in the NS records.) However, if the server being queried isn't
authoritative for the domain being pointed to you need to not trust that the IP
address applies for anything other than this query. (Some resolvers will
discard out of bailiwick glue records and you certainly don't want to cache
them where they could be used to resolve other queries.)
More information about the fedora-list
mailing list