blank.gif (43 bytes)

Church Of The
Swimming Elephant

5.5 Blocking NXT Pseudo-Zone Transfers Connected: An Internet Encyclopedia
5.5 Blocking NXT Pseudo-Zone Transfers

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 2065
Up: 5. Non-existent Names and Types
Prev: 5.4 Interaction of NXT RRs and Wildcard RRs
Next: 5.6 Special Considerations at Delegation Points

5.5 Blocking NXT Pseudo-Zone Transfers

5.5 Blocking NXT Pseudo-Zone Transfers

In a secure zone, a resolver can query for the initial NXT associated with the zone name. Using the next domain name RDATA field from that RR, it can query for the next NXT RR. By repeating this, it can walk through all the NXTs in the zone. If there are no wildcards, it can use this technique to find all names in a zone. If it does type ANY queries, it can incrementally get all information in the zone and thus defeat attempts to administratively block zone transfers.

If there are any wildcards, this NXT walking technique will not find any more specific RR names in the part of the name space the wildcard covers. By doing explicit retrievals for wildcard names, a resolver could determine what intervals are covered by wildcards but still could not, with these techniques, find any names inside such intervals except by trying every name.

If it is desired to block NXT walking, the recommended method is to add a zone wide wildcard of the KEY type with the no-key type value and with no type (zone, entity, or user) bit on. This will cause there to be one zone covering NXT RR and leak no information about what real names exist in the zone. This protection from pseudo-zone transfers is bought at the expense of eliminating the data origin authentication of the non-existence of names that NXT RRs can provide. If an entire zone is covered by a wildcard, a malicious server can return an RR produced by matching the resulting wildcard NXT and can thus hide all the real data and delegations in the zone that have more specific names.

Next: 5.6 Special Considerations at Delegation Points

Connected: An Internet Encyclopedia
5.5 Blocking NXT Pseudo-Zone Transfers


Protect yourself from cyberstalkers, identity thieves, and those who would snoop on you.
Stop spam from invading your inbox without losing the mail you want. We give you more control over your e-mail than any other service.
Block popups, ads, and malicious scripts while you surf the net through our anonymous proxies.
Participate in Usenet, host your web files, easily send anonymous messages, and more, much more.
All private, all encrypted, all secure, all in an easy to use service, and all for only $5.95 a month!

Service Details

Have you gone to church today?
All pages ©1999, 2000, 2001, 2002, 2003 Church of the Swimming Elephant unless otherwise stated
Church of the Swimming Elephant©1999, 2000, 2001, 2002, 2003 is a wholly owned subsidiary of Packetderm, LLC.

Packetderm, LLC
210 Park Ave #308
Worcester, MA 01609