Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 24 Jun 2024 10:57:13 -0400
From: Rich Felker <dalias@...c.org>
To: Lance Yang <lance.yang@...ux.dev>
Cc: Thorsten Glaser <tg@...bsd.de>, musl@...ts.openwall.com,
	Jan Mercl <0xjnml@...il.com>, Lance Yang <ioworker0@...il.com>
Subject: Re: [PATCH 1/1] improve DNS resolution logic for parallel
 queries

On Mon, Jun 24, 2024 at 11:56:01AM +0000, Lance Yang wrote:
> June 24, 2024 at 2:52 AM, "Thorsten Glaser" <tg@...bsd.de> wrote:
> > 
> > Lance Yang dixit:
> > 
> > > 
> > > I understand your concern that continuing the search after receiving an
> > > 
> > > NXDOMAIN response might pose a security risk. Will look into this issue
> > > 
> > 
> > It’s not (just) a security risk, it’s how DNS works.
> > 
> > NXDOMAIN means “I am a nameserver responsible for resolving your
> > 
> > query, and I can state with confidence that the entry you requested
> > 
> > does not exist” so no other responsible nameserver’s response can
> > 
> > rightly differ.
> 
> Sorry to bother you again. Could you please let me know from which
> document or standard this description is taken?
> 
> Any details about the specific RFC, technical documentation, or other
> authoritative sources would be greatly appreciated.

RFC 2308 is the main source I can think of for clarifying the meaning
and expected behavior for NxDomain. The only relevant amendments I can
find are RFC 8020 and 9520, but neither of them change anything
related to the basic meaning.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.