Does BIND 9.3.2 have problems related to forwarding?
Peter Dambier
peter at peter-dambier.de
Fri May 26 12:58:38 UTC 2006
Eivind Olsen wrote:
> Peter Dambier wrote:
>
>>I could never trace it. I got rid of it by slaving the zones that got
>>overwritten. It is nasty to do that on a cache only server but it gets
>>you rid of the problem. I have seen some ISPs doing exactly the same
>>with their resolvers.
>
>
> Ok. So do you think I'm likely correct when I guess it's a bug in BIND?
>
I would not call it a bug. It is the way an algorithm is implemented.
Devellopers of Bind and djbdns differ in what may be trusted and what
may not. I guess it has to do with glue records returned. There have
been issues with cache poisoning in bind but that is long ago.
I have seen dns-servers returning something, mostly the glue records
for the root-servers for things they dont know. This way a cache might
still be manipulated but I remember there used to be a switch in bind
where you can tell it to be more paranoid.
I have not seen my root-servers overwritten with Bind 9.4 yet.
>
>>It sounds like what Dan Bernstein asked the Bind devellopers
>>to do. So I guess, yes that is it. I am running 9.4.0a5 for some
>>days now, mostly as cache but slaving a couple of zones too. I did
>>not see any hijacking yet but my system does not serve too many
>>costumers.
>
>
> Hello. Do you have more information about what DJB asked the BIND
> developers to do? I have searched for it but couldn't find any information.
>
Sorry, nor could I. It must have been hidden between the lines or
just a memory leak in my brain :)
I remember it was about the cache implementation in some resolvers.
Some would cache used horseshoes thrown at it :)
They would cache answers for queries they had never queried.
Others would cache answers from servers they had not queried.
As the bad guys got nastier you had even to check wether the answer was
not only a possible answer from the right server but really the answer
to your query and not somebodyelses.
I am not a bind develloper, only one of the many peoply trying the
9.4.0a5.
Kind regards
Peter and Karin
--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
More information about the bind-users
mailing list