Unsuitable for Forwarder use
List Account
my.klist at gmail.com
Thu Apr 21 15:44:57 UTC 2005
I saw this on isc.org and am trying to confirm whether the problems
we've been seeing are related.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
If a name server -- any name server, whether BIND or otherwise -- is
configured to use ``forwarders'', then none of the target forwarders
can be running BIND4 or BIND8. Upgrade all name servers used as
``forwarders'' to BIND9. There is a current, wide scale
Kashpureff-style DNS cache corruption attack which depends on BIND4
and BIND8 as ``forwarders'' targets.
...
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
We have a split DNS solution in place. We recently upgraded our
internal DNS boxes to 9.2.3. Our external 'ns' boxes are still
running 8.2.4.
Our internal DNS servers are authoritative for example.com, and cannot
do Internet name resolution on their own. For Internet name
resolution, we configure select zones as type forward and send
requests to our Internet NS boxes
Our external DNS servers (totally separate boxes) are also
authoritative for example.com and are targets for our internal DNS
server for select Internet domains.
Lately, we've noticed that the our internal DNS get cache corruption
and believe that example.com SOA is our external DNS boxes.
Am I reading the above advisory correctly? Is the problem I'm seeing
related to this?
Thanks in advance for your help.
- Frank
More information about the bind-users
mailing list