DNS/Deadwood/検索動作/2について、ここに記述してください。
1. How Deadwood stops blind spoofing attacks
Deadwood's recursive resolver is written with the following philosophy:
- The only answers that Deadwood will place in the cache while resolving a name are
either pointers to incomplete NS referrals,
or the direct answer to the question originally given to Deadwood.For example, if someone asks Deadwood "what is the IP for www.paypal.com", Deadwood will only add the following records to the cache while resolving www.paypal.com:
- The IPs of the name servers for anything ending ".com" that doesn't otherwise have a name server.
- These IPs can only be set by the root server IPs (which are either the default ICANN root servers built-in to Deadwood or specified in ones dwood3rc file).
- The IPs of the name servers for anything ending in "paypal.com" can be added by
- either the root name servers or the name servers delegated by the root servers as being the name servers for ".com". No other servers are allowed to assign names to "paypal.com".
- A name server delegation must be part of the domain asked for.
- If someone asks for "random-name-00000001.com", any answers received will only affect ".com" (if they come from the root servers) or "random-name-00000001.com"
(but only if they come from the .com servers). See dwx_string_bailiwick_query() in DwRecurse.c
- If someone asks for "random-name-00000001.com", any answers received will only affect ".com" (if they come from the root servers) or "random-name-00000001.com"
- The IP for "www.paypal.com".
The information about what name servers to use for a given domain, say "example.com", can only come from one of the following two sources:
- The root name servers
- The name servers designated to serve ".com" domains.
Information given by example.com's own name servers only affect names ending in "example.com"; they do not affect the name servers for example.com [5].