wrong reverse dns answer, corrupted cache
Nate Campi
nate at wired.com
Sun Jan 27 06:35:59 UTC 2002
On Fri, Jan 25, 2002 at 06:42:49PM -0800, Doug Barton wrote:
>
> On Fri, 25 Jan 2002, Kevin Darcy wrote:
>
> > Modern versions of BIND tend to be immune from this form of cache poisoning
> > because they keep good track of "credibility" and won't overwrite data of
> > high credibility (e.g. the delegation from arpa to in-addr.arpa) with data of
> > low credibility (e.g. hinet.net's outrageous claims of in-addr.arpa
> > authoritativeness). However, older versions of BIND, and non-BIND nameserver
> > software, may still get poisoned.
>
> Would that this were true. My mixture of BIND 8.2.[45] name
> servers regularly got poisoned with this exact same crap until I marked
> those name servers bogus. It didn't always last very long, but my servers
> did cache the answer sometimes.
Doug,
Don't take this the wrong way, but are you sure? I was under the
impression that the "bailiwick" principle had started working in
recent BIND versions, and have had some recent experiences that
loosely backed up my assumptions.
--
Nate Campi | Terra Lycos DNS | WiReD UNIX Operations
When you say 'I wrote a program that crashed Windows', people just
stare at you blankly and say 'Hey, I got those with the system, for
free'
More information about the bind-users
mailing list