[11167] in North American Network Operators' Group
how to protect name servers against cache corruption
daemon@ATHENA.MIT.EDU (Paul A Vixie)
Tue Jul 22 16:37:14 1997
To: nanog@merit.edu
Date: Tue, 22 Jul 1997 13:24:59 -0700
From: Paul A Vixie <vixie@vix.com>
a BIND 4.9.6 or 8.1.1 server is immune. so, you could upgrade. to so do,
see http://www.isc.org/isc/ which will lead you to ftp://ftp.isc.org/isc/.
(the root name servers are all running modern software at this point.)
alternic's corruption works by locating authoritative name servers via the
"NS RR"'s published in various zones. if you run these as authoritative-
only (recursion disabled) then they will never fetch any data from anywhere.
(the root name servers are configured this way, for example.) the downside
is that you can't list such nameservers in your "resolv.conf" files or PC
equivilents (Control Panel\\Networking\\TCP IP Settings, or some such rot.)
this means you need more name servers if you separate recursive from non-
recursive.
