North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: DNS cache poisoning attacks -- are they real?
- From: Florian Weimer
- Date: Wed Mar 30 06:38:48 2005
* Brad Knowles:
> At 1:08 PM +0200 2005-03-29, Florian Weimer wrote:
>
>> BIND accepts non-authoritative answers if their additional section
>> looks a bit like a referral. I don't tink that this check is
>> deliberately lax, but stricter checks are simply harder to do on this
>> particular code path.
>
> BIND explicitly assumes that there might be upstream nameservers
> you may talk to that may be answering from cache.
Really? I can't get it to work reliably. Can you share an example
where delegation to a non-authoritative caching resolver works,
without the need for special seeding of the caching resolver?
Your posts to nanog@merit.edu aren't distributed by the mailing list,
BTW.
|
