1. DNS/qname-minimisation/broken_CDN
Query name minimization and authoritative DNS server behavior
- Shumon Huque, Verisign Labs
DNS-OARC 2015 Spring Workshop, Amsterdam, NetherlandsMay 9th 2015
https://indico.dns-oarc.net/event/21/contributions/298/attachments/267/487/qname-min.pdf
Cloudflare is aware of this defect and plans to fix it in the near future. Update: April 2015 from Cloudflare. The problem has been fixed.
https://twitter.com/beyondDNS/status/916154514096324608
elb.amazonaws\.com (NS) queryの結果ですね。
- noerror, nxdomain 返答が混在している。
調べ直してみたら、NXDOMAIN 返答はしなくなっている。いつからか。-- ToshinoriMaeno 2018-08-27 13:31:53
1.1. debian
Re: DNS Qname minimisation https://lists.debian.org/debian-project/2016/03/msg00044.html
There are serious potential operation issues with Qname minimization.
- よく読む必要がある。
-- ToshinoriMaeno 2017-06-11 04:48:38
akamai, awsdns, cloudflare などがあげられていたが、現在は修正されたようだ。-- ToshinoriMaeno 2018-08-27 13:08:19
There is a workaround available for the broken-CDN issue: on the first NXDOMAIN reply from an intermediary (Qname minimized) query, you disable Qname minimization entirely and do the full query. This opens up Qname minimization to attacks that "disable it" by triggering this workaround and forcing a full query. Worse, if this workaround is the only way for a future DNS application to signal Qname minimization resolvers to query the full name on a deep chain (see below), it *will* get used (and/or abused) for that, effectively redefining what NXDOMAIN means in practice, and not in a helpful way. This is not a good thing for DNS operations and future scalability, at all.
IPv6 reverse-zone では amplificationの心配がある。(deep-chain issue)
Shumon Huque, Verisign Labs DNS-OARC 2015 Spring Workshop, Amsterdam, Netherlands May 9th 2015 Query name minimization and authoritative DNS server behavior
https://indico.dns-oarc.net/event/21/contribution/9/material/slides/0.pdf