Bind and possible redundancy flaw.
Noah McNallie
lists at xzziroz.net
Wed Feb 20 23:29:45 UTC 2008
22:45 -!- n0ah [i=n0ah at xzziroz.net] has joined #bind
22:45 -!- Topic for #bind: Unofficial Bind (DNS) Channel | problems?
check your syslog! | read the bind9 ARM
httpoh://www.isc.org/sw/bind/arm93 | also see
http://www.bind9.net/links | http://www.zytrax.com/books/dns/ |
http://tinyurl.com/anel
22:45 -!- Topic set by Evilx [] [Fri Feb 8 17:51:08 2008]
22:45 [Users #bind]
22:45 [ _NiC ] [ floppypond] [ JoshH ] [ n0ah ] [ rodpod ]
[ Zeit|awy_]
22:45 [ badcfe ] [ hawk ] [ Lazydog ] [ nightbreed] [ stockholm]
22:45 [ Blue_Ice] [ ikaro ] [ LiENUS ] [ packetscan] [ telelvis ]
22:45 [ diabel ] [ ikk ] [ linkslice] [ preaction ] [ TheBonsai]
22:45 [ dogmeat ] [ jdog_ ] [ mfmf ] [ rob0 ] [ vaix_ ]
22:45 -!- Irssi: #bind: Total of 26 nicks [0 ops, 0 halfops, 0 voices,
26 normal]
22:45 -!- Channel #bind created Sun Nov 26 01:42:58 2006
22:45 -!- Irssi: Join to #bind was synced in 2 secs
22:45 < n0ah> hey guys, i think i've found a potential bind flaw
22:48 < n0ah> it seems that if I have a NS in my list of name servers
that has no records for the domain being queried, half the internet
will not resolve the query at all, ie say i have two name
servers for an ip range, if the 2nd listed contains no records,
half the internet will fail the lookup 100%, though with
dig +trace it does the right thing, if the second server with no
records is queried
22:48 < n0ah> the second server with no records will loop back around
and give root records, then back to arin records for the ip range,
then back to the good name server, and the query succeeds
22:48 < n0ah> i know that makes it sound like a client issue, though i'm
not sure how bind is dealing with this recursively
22:49 < n0ah> but it seems some i've tried to do the query with the
second in the list, and it'll just fail everytime as long as there is
an NS with no records listed as a nameserver
22:49 < n0ah> quite a few
22:49 < n0ah> some servers handle it just fine (using the same client,
such as dig, querying their nameservers direcetly)(
22:50 < n0ah> this does not seem redundant, how will these places handle
a large failure (which is what it's supposed to be all built off
of the idea).. what if a 4th nameserver expires on a zone
refresh.. and due to routing it can't talk to the parent name
server to get the zone for whatever the timeout is, 24
hours is common
22:50 < n0ah> then, which ever of these users can access the 4th server
(it seems if a server isn't accessible, bind will just goto the
next and it's no problem)
22:51 < n0ah> will get failed queries because the 4th is up, though the
4th has no records
22:52 < n0ah> i'll look for the bind mailing list, i get a feeling this
channel is pretty quiet
n0ah
More information about the bind-users
mailing list