DNS/実装/GbDnsについて、ここに記述してください。 http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/ o Resolution algorithm (notes) {{{ - Suppose we want to determine the answer to QNAME QTYPE - We are given a list of root servers - Set Bailiwick to "" ( root ) - Ask one of the Bailiwick servers the question ( QNAME, QTYPE ) - Response will either be authoritative or non-authoritative ( or an error code ) - If Authoritative - If RCODE is NXDOMAIN that is result - Check if there is a CNAME response QNAME CNAME xxxxx - If so, that forms part of the final answer, change QNAME to xxxxx and restart - Otherwise add matching answers to final answer, we are finished - If response is not authoritative - Authority section should contain list of name servers - LHS should be more specific than current bailiwick ( if not, server is lame ) - Set Bailiwick to LHS of NS records - Continue ( but may first need to recursively resolve name server IP address if it is not in-zone ) - The above says nothing about caching - Or whether to use A or AAAA when resolving name server IP address - Implemented }}} o Delegations should be time limited {{{ - When parent delegation expires, it should be re-fetched. - And cache entries below the delegation should be deleted. - If the delegation has changed. - DONE : child NS TTL limited by parent, so always expires first }}} o RRset status could be clarified / simplified {{{ - Affects various things, including over-writing rules - Level is a bit messy ? - Decide what attributes are needed - Authoritative Data / Non-Authoritative - Parent Data / Child Data ( watch out for RRSIGs ? ) - Local data ( loaded from file ) / Data fetched from elsewhere - Anything else? - Also want to re-check delegations - But not keep re-fetching from parent if TTL has not expired - When we use an Authoritative NS RRset fom child - Check the parent NS RRset has not expired - If it has, we need to re-fetch the parent NS RRset - Done }}} o IP packet fragmentation {{{ - Vulnerable to spoofing - SOmetimes just doesn't work due to faulty implementations ( firewalls, NATs ) - An attacker can spoof just a part of the whole packet, circumventing ID - Hard to spoof OPT ( because it is in last packet which carries UDP checksum ) - Mitigations (ideas - these may not work ) - Discard unsigned records unless they are in first 512 bytes of reply - Signed records must be checked before being cached/used - Only clean solution seems to be some kind of protocol extension - Package response in TXT records - Xor-ed with Ping data - Hmm... - Or sign everything? - Or resolver mitigation - Put limit on question length ( may cause problems ... ) - Problem if Question + NS RRset does not fit in first 512 bytes - Suggestion - The server Xor's RRdata with the transaction ID - This means a blind attacker can no longer predict the data in the Additional section - The UDP checksum should now catch forgery attempts - Support signalled by an OPT record ( or bit ) sent by the client - Another way: - Include a page selection OPT record ( indicates which "page" of response we want ) }}} o Which records in a response are essential {{{ - Records whose owner name exactly matchs the question ( type and name, or cname and name ) - NS records where the question name ends with the owner name ( referral ) - All othe records are in-essential [ Implemented discard when convergence is slow ] }}}