[79078] in North American Network Operators' Group
Re: DNS cache poisoning attacks -- are they real?
daemon@ATHENA.MIT.EDU (Florian Weimer)
Wed Mar 30 06:38:08 2005
From: Florian Weimer <fw@deneb.enyo.de>
To: Brad Knowles <brad@stop.mail-abuse.org>
Cc: Simon Waters <simonw@zynet.net>, John Payne <john@sackheads.org>,
nanog@merit.edu, Randy Bush <randy@psg.com>
Date: Wed, 30 Mar 2005 13:37:29 +0200
In-Reply-To: <p06200708be6fbe4b9244@[10.0.1.3]> (Brad Knowles's message of
"Wed, 30 Mar 2005 04:26:17 +0200")
Errors-To: owner-nanog@merit.edu
* Brad Knowles:
> At 1:08 PM +0200 2005-03-29, Florian Weimer wrote:
>
>> BIND accepts non-authoritative answers if their additional section
>> looks a bit like a referral. I don't tink that this check is
>> deliberately lax, but stricter checks are simply harder to do on this
>> particular code path.
>
> BIND explicitly assumes that there might be upstream nameservers
> you may talk to that may be answering from cache.
Really? I can't get it to work reliably. Can you share an example
where delegation to a non-authoritative caching resolver works,
without the need for special seeding of the caching resolver?
Your posts to nanog@merit.edu aren't distributed by the mailing list,
BTW.
