SRV records and cache poisoning (full)
Mark Andrews
Mark_Andrews at isc.org
Thu Jun 9 07:38:49 UTC 2005
> >
> > Stub resolvers need to trust their caching servers to have
> > anti-poisioning support. Stub resolvers don't have enough
> > information to detect poisioning. This assumes DNSSEC is
> > not available for the zone that is the target of the
> > poisoning. If DNSSEC is available them the stub resolver
> > can verify the answer.
> >
>
> So am I to understand that a sane caching nameserver will remove that
> www.microsoft.com record from the additional section of the reply? And
> that it will do some sort of filtering on the additional section in
> responses?
Yes.
>
> Thanks for the reply,
> Stefan.
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list