From 9e2f5c46925bcd9ddb95e20138ca5c95ff361c8b Mon Sep 17 00:00:00 2001 From: Tirumaleswar Reddy <30891538+tireddy2@users.noreply.github.com> Date: Wed, 21 Feb 2024 14:28:05 +0530 Subject: [PATCH 1/4] Add files via upload --- draft-ietf-add-resolver-info.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/draft-ietf-add-resolver-info.md b/draft-ietf-add-resolver-info.md index ef78c1a..fc94519 100644 --- a/draft-ietf-add-resolver-info.md +++ b/draft-ietf-add-resolver-info.md @@ -117,9 +117,11 @@ Reputation: using the RESINFO RR type and QNAME of "resolver.arpa". In this case, a client has to contend with the risk that a resolver does not support RESINFO. The resolver might pass the query upstream, and then the client can receive a positive RESINFO response either - from a legitimate upstream DNS resolver or an attacker. If a client sees the RESINFO in the - Answer section, it can detect that the response is not provided by the resolver - and discards the response. + from a legitimate upstream DNS resolver or an attacker. The client in the DNS query MUST + set the Recursion Desired (RD) bit set to 0 to ensure the response is provided by the resolver. + If the resolver does not support RESINFO, it will return an authoritative name error. + In addition, if a client sees the RESINFO in the Answer section, it can detect that + the response is not provided by the resolver and discards the response. # Format of the Resolver Information {#format} From e7687f574d3538bb67ea926ced913977b480419f Mon Sep 17 00:00:00 2001 From: Tirumaleswar Reddy <30891538+tireddy2@users.noreply.github.com> Date: Wed, 21 Feb 2024 14:31:17 +0530 Subject: [PATCH 2/4] Add files via upload --- draft-ietf-add-resolver-info.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-add-resolver-info.md b/draft-ietf-add-resolver-info.md index fc94519..fd84f81 100644 --- a/draft-ietf-add-resolver-info.md +++ b/draft-ietf-add-resolver-info.md @@ -118,9 +118,9 @@ Reputation: with the risk that a resolver does not support RESINFO. The resolver might pass the query upstream, and then the client can receive a positive RESINFO response either from a legitimate upstream DNS resolver or an attacker. The client in the DNS query MUST - set the Recursion Desired (RD) bit set to 0 to ensure the response is provided by the resolver. + set the Recursion Desired (RD) bit set to 0 to ensure the response is provided by the resolver. If the resolver does not support RESINFO, it will return an authoritative name error. - In addition, if a client sees the RESINFO in the Answer section, it can detect that + In addition, if a client sees the RESINFO in the Answer section, it can detect that the response is not provided by the resolver and discards the response. # Format of the Resolver Information {#format} From ca6f6e27764690370f8e47e727454c018c57d4a5 Mon Sep 17 00:00:00 2001 From: Tirumaleswar Reddy <30891538+tireddy2@users.noreply.github.com> Date: Wed, 21 Feb 2024 14:43:58 +0530 Subject: [PATCH 3/4] Update draft-ietf-add-resolver-info.md Co-authored-by: Med --- draft-ietf-add-resolver-info.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-add-resolver-info.md b/draft-ietf-add-resolver-info.md index fd84f81..cbe8b32 100644 --- a/draft-ietf-add-resolver-info.md +++ b/draft-ietf-add-resolver-info.md @@ -117,7 +117,7 @@ Reputation: using the RESINFO RR type and QNAME of "resolver.arpa". In this case, a client has to contend with the risk that a resolver does not support RESINFO. The resolver might pass the query upstream, and then the client can receive a positive RESINFO response either - from a legitimate upstream DNS resolver or an attacker. The client in the DNS query MUST + from a legitimate upstream DNS resolver or an attacker. The DNS client MUST set the Recursion Desired (RD) bit set to 0 to ensure the response is provided by the resolver. If the resolver does not support RESINFO, it will return an authoritative name error. In addition, if a client sees the RESINFO in the Answer section, it can detect that From 398a7358f4d8b0ae10e23b6d178590db620b62a7 Mon Sep 17 00:00:00 2001 From: Tirumaleswar Reddy <30891538+tireddy2@users.noreply.github.com> Date: Wed, 21 Feb 2024 14:44:13 +0530 Subject: [PATCH 4/4] Update draft-ietf-add-resolver-info.md Co-authored-by: Med --- draft-ietf-add-resolver-info.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-add-resolver-info.md b/draft-ietf-add-resolver-info.md index cbe8b32..75dcdca 100644 --- a/draft-ietf-add-resolver-info.md +++ b/draft-ietf-add-resolver-info.md @@ -118,7 +118,7 @@ Reputation: with the risk that a resolver does not support RESINFO. The resolver might pass the query upstream, and then the client can receive a positive RESINFO response either from a legitimate upstream DNS resolver or an attacker. The DNS client MUST - set the Recursion Desired (RD) bit set to 0 to ensure the response is provided by the resolver. + set the Recursion Desired (RD) bit of the query to 0 to ensure that the response is provided by the resolver. If the resolver does not support RESINFO, it will return an authoritative name error. In addition, if a client sees the RESINFO in the Answer section, it can detect that the response is not provided by the resolver and discards the response.