Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 23 Jun 2024 15:23:16 -0400
From: Rich Felker <dalias@...c.org>
To: Thorsten Glaser <tg@...bsd.de>
Cc: musl@...ts.openwall.com, Jan Mercl <0xjnml@...il.com>,
	Lance Yang <ioworker0@...il.com>
Subject: Re: [PATCH 1/1] improve DNS resolution logic for parallel
 queries

On Sun, Jun 23, 2024 at 06:52:54PM +0000, Thorsten Glaser wrote:
> Lance Yang dixit:
> 
> >I understand your concern that continuing the search after receiving an
> >NXDOMAIN response might pose a security risk. Will look into this issue
> 
> It’s not (just) a security risk, it’s how DNS works.
> 
> NXDOMAIN means “I am a nameserver responsible for resolving your
> query, and I can state with confidence that the entry you requested
> does not exist” so no other responsible nameserver’s response can
> rightly differ.

Moreover, if you're using a nameserver that validates DNSSEC it means
"I am a nameserver.... and I have witnessed cryptographic proof that
the name you requested does not exist or that the delegating authority
at one level of the hierarchy made a delegation that opts out of
further cryptographic validation."

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.