[106260] in North American Network Operators' Group
Re: TLD servers with recursion was Re: Exploit for DNS Cache
daemon@ATHENA.MIT.EDU (Gadi Evron)
Thu Jul 24 21:07:13 2008
Date: Thu, 24 Jul 2008 20:05:29 -0500 (CDT)
From: Gadi Evron <ge@linuxbox.org>
To: Steve Bertrand <steve@ibctech.ca>
In-Reply-To: <488902F5.8040907@ibctech.ca>
Cc: nanog@nanog.org, Martin Hannigan <hannigan@verneglobal.com>
Errors-To: nanog-bounces@nanog.org
On Thu, 24 Jul 2008, Steve Bertrand wrote:
> Gadi Evron wrote:
>> On Thu, 24 Jul 2008, Martin Hannigan wrote:
>>>
>>>> I personally know several folks from within and wayyy from outside the
>>>> DNS
>>>> world who discovered this very out there and obvious issue and worked
>>>> hard
>>>> to try and contact the operators. Those that haven't fixed it yet,
>>>> likely
>>>> won't if all thing remain even.
>>>>
>>>
>>> I don't know that a failure to act immediately is indicative of ignoring
>>> the problem. Not to defend AT&T or any other provider, but it's not as
>>> simple as rolling out a patch.
>>
>> Marty, are we talking of the same problem? I am talking about recursion
>> enabled in bind?
>
> I'm confused by the last sentence. I don't understand if you are asking a
> question, or stating that recursion should be disabled.
>
> If it is a statement, then you must mean that ops should disable recursion,
> and enable forwarding for name resolution, correct? In this case, its been
> proven that having an upstream forward that is 'broken' will have the exact
> same effect as having a broken recursive server.
>
> My apologies if I've misunderstood your comment.
We are talking about ccTLD NS.
Gadi.
