bind: how to accept authoritative answers only?
Jim Reid
jim at rfc1035.com
Sat Jan 27 19:32:54 UTC 2001
>>>>> "Larry" == Larry Sheldon <lsheldon at creighton.edu> writes:
>> I tried to figure out how to configure bind (on my TSL1.2) to
>> accept authoritative answers only, but I didn't succeed. This
>> should help against IP-Spoofing as named would't accept answers
>> of a hijacked cache that is used to spoof addresses. DJBDNS
>> (Bernstein stuff) behaves that way, and I would have liked to
>> configure bind to work that way.
Larry> I have no idea how to do what you are asking, but I am
Larry> interested in the assert that "authoratative" can not be
Larry> spoofed. How is that guaranteed?
The only way to detect and ignore spoof DNS traffic or name servers is
by putting some sort of digital signature on each packet, presumably
using public-key encryption. This is provided by DNSSEC: Secure DNS.
The protocol is implemented and supported in BIND8.2 and later. There
is no support for DNSSEC in djbdns. How Dr. Bernstein squares this
with his claims of preventing spoofing is beyond me.
More information about the bind-users
mailing list