## page was renamed from DNS/hitchhiker/bailiwick-rule ## page was renamed from DNS/bailiwick-rule == DNS/bailiwick-rule == [[DNS/in-bailiwick]] [[DNS/out-of-bailiwick]] Hitch hiker's guide to cache poisoning = 6.5 Bailiwick rule = {{{ The primary purpose of the bailiwick rule is to prevent an authoritative server from claiming the mappings from domain names belonging to other authorities. }}} キャッシュサーバが問い合わせた相手の(あるゾーンサーバが)  「権威を持たないレコード」に対して権威を主張することがないように検査するのが主たる目的である。 この立場からは、内部名かどうかとは視点が異なる。 -- ToshinoriMaeno <> {{{ To determine whether the bailiwick-checking logic of BIND and Unbound resolvers achieves this, we used ProVerif to verify the following three properties: }}} query ev: evPoison(NSt/At/CNAMEt, targetname, dst, tl, cachedns, cacheda, cachedc) −→ ev: evRecursiveQueryStart( query, bailiwick, bailiwickAAserver ) ∧ isSubName: query, bailiwick ∧ isSubName: targetname, bailiwick These properties say that a record can enter the cache (represented by the cache poisoning event, since in our model all responses arrive from the network attacker) only in response to a recursive query and if targetname and query are subdomains of bailiwick. Here bailiwick is the authority name closest to the domain label in the query. According to ProVerif, these three properties hold in our model. {{{ Therefore, the domain name of both legitimate and forged responses must be a subdomain of the proper bailiwick, as determined by the DNS resolver. }}} Note, however, that the bailiwick depends on the label of the current query. An attacker may initiate a query for a domain of his choice or manipulate the resolver into issuing such a query (e.g., by tricking one of the resolver’s users into visiting a webpage with a link to the domain), thus ensuring that forged responses do not violate the bailiwick rule. ----- (結論)bailiwick rule はニセ返答攻撃を妨げることにはならない。