wrong reverse dns answer, corrupted cache
Nate Campi
nate at wired.com
Sun Jan 27 21:00:20 UTC 2002
On Sun, Jan 27, 2002 at 11:14:00AM -0800, Doug Barton wrote:
> Nate Campi wrote:
> >
> > On Fri, Jan 25, 2002 at 06:42:49PM -0800, Doug Barton wrote:
> > >
> > > On Fri, 25 Jan 2002, Kevin Darcy wrote:
> > >
> > > > Modern versions of BIND tend to be immune from this form of cache poisoning
> > > > because they keep good track of "credibility" and won't overwrite data of
> > > > high credibility (e.g. the delegation from arpa to in-addr.arpa) with data of
> > > > low credibility (e.g. hinet.net's outrageous claims of in-addr.arpa
> > > > authoritativeness). However, older versions of BIND, and non-BIND nameserver
> > > > software, may still get poisoned.
> > >
> > > Would that this were true. My mixture of BIND 8.2.[45] name
> > > servers regularly got poisoned with this exact same crap until I marked
> > > those name servers bogus. It didn't always last very long, but my servers
> > > did cache the answer sometimes.
> >
> > Doug,
> >
> > Don't take this the wrong way, but are you sure?
>
> Completely. Not only was the dig output unambiguous, but I dumped the
> db the last time it happened and the record was there clear as day.
Maybe for all our benefit you could share information on the actual
servers that poisoned your cache and the RRs/domains that caused the
trouble. We can test against 8.3.0.
TIA,
--
Nate Campi | Terra Lycos DNS | WiReD UNIX Operations
I wanted to read your article but it had a bunch of HTML code and
brackets and garbage, instead of content. Maybe you could try posting
it again? - Al Iverson <news at radparker.com>
More information about the bind-users
mailing list