slave on per-zone basis only?

Fri Feb 22 04:28:18 UTC 2002

Could I avoid cache poisoning by setting the TTL on the SOA record to 0?
This should keep the bogus root SOA from getting cached.  I certainly don't
want to be destructive.  I tried this on a test server, and "dig
@(test-server) . soa" comes back with a zero TTL.  I wanted your opinion
before doing this on the Production server.

Microsoft DNS installs as a root server by default; were many name servers
vulnerable to cache poisoning for the root zone, then the problem would be
encountered often, no?

Sorry about the long lines.

Thanks.  - John R. S.

-------- Original Message --------
Subject: Re: slave on per-zone basis only?
Date: Thu, 21 Feb 2002 14:55:33 -0800
From: Pete Ehlke <pde at ehlke.net>
To: WebReactor Networks <bind at webreactor.net>
CC: bind-users at isc.org
References: <E16e1aE-00016x-00 at mail.webreactor.net>

On Thu, Feb 21, 2002 at 02:20:58PM -0800, WebReactor Networks wrote:
> 
> Let us assume that you will be adding zones which reside under multiple TLDs
(com, net, org,
uk, cz, etc.).  Make your master and slave servers root name servers.
> 
>   // Master named.conf
>   zone "." {
>     type master; 
>     file "db.root";
>   };
> 
> Now, having said that, what negative side effects can be expected from a
configuration like
this?  It has been working well for almost a year now, and the only
complaint I've received
was that the registrar for Switzerland (.ch) and Liechtenstein (.li)
requires SOA records for
a domain before they will register it.
> 
First of all, please configure your mail/news client to wrap lines at
less than 80 characters. Long lines like this are exceedingly annoying
to those of us (likely the vast majority in a forum like this one) who
use terminal-based clients.

The problem with this scheme is that it's a blueprint for how to engage
in cache poisoning. When you pass along Additional records that claim
that your server is authoritative for '.', you will, sooner or later,
poison someone else's cache. You break other people's servers for the
sake of your own convenience. That's rude, to say the least.

-Pete