Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS contamination

  • From: Dima Volodin
  • Date: Thu Jan 23 15:56:37 1997

Ignoring additional records works pretty well for me.

Otherwise, the beast is out there, and we cannot do much except waiting
for it to die slowly.

For those who wonder what is so special about these addresses - they
were SprintLink's DNS servers' around Wilhelm the Conqueror's time or
shortly after that. Apparently, some clueless admins have these
addresses as bogus glue records in their zones and use vintage named
versions that allow them to do that. Once leaked out in additional
sections of DNS responses, these bogus records end up in other servers'
caches, which in turn try to use these addresses to resolve queries for
names for which SprintLink's servers are claimed to be authoritative.
In two hours about 400 servers tried to use (a
Catalyst something) as a name server.

Paul A Vixie writes:
> I have done, algorithmically, everything that can be done at that level.
> At this point we are going to have to wait for DNSSEC or some other wire
> protocol change.  If you have suggestions to the contrary I would like
> to hear them.  (And if you have money to pay for BIND improvements I would
> like to hear about that, too.)

- - - - - - - - - - - - - - - - -

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.