Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <0c74e187cfd2bc6ca5d8af3b3a367859bdbfe984@linux.dev>
Date: Mon, 24 Jun 2024 04:35:24 +0000
From: "Lance Yang" <lance.yang@...ux.dev>
To: "Rich Felker" <dalias@...c.org>, "Thorsten Glaser" <tg@...bsd.de>
Cc: musl@...ts.openwall.com, "Jan Mercl" <0xjnml@...il.com>, "Lance Yang"
 <ioworker0@...il.com>
Subject: Re: [PATCH 1/1] improve DNS resolution logic for parallel
 queries

June 24, 2024 at 3:23 AM, "Rich Felker" <dalias@...c.org> wrote:



> 
> On Sun, Jun 23, 2024 at 06:52:54PM +0000, Thorsten Glaser wrote:
> 
> > 
> > Lance Yang dixit:
> > 
> >  
> > 
> > I understand your concern that continuing the search after receiving an
> > 
> > NXDOMAIN response might pose a security risk. Will look into this issue
> > 
> >  
> > 
> >  It’s not (just) a security risk, it’s how DNS works.
> > 
> >  
> > 
> >  NXDOMAIN means “I am a nameserver responsible for resolving your
> > 
> >  query, and I can state with confidence that the entry you requested
> > 
> >  does not exist” so no other responsible nameserver’s response can
> > 
> >  rightly differ.

Yep, I got it wrong, thanks for clarifying!

> > 
> 
> Moreover, if you're using a nameserver that validates DNSSEC it means
> 
> "I am a nameserver.... and I have witnessed cryptographic proof that
> 
> the name you requested does not exist or that the delegating authority
> 
> at one level of the hierarchy made a delegation that opts out of
> 
> further cryptographic validation."

Thanks again for the lesson!
Lance

> 
> Rich
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.