Wrong glue records entered.

Mark Andrews Mark_Andrews at isc.org
Tue Jan 18 04:59:56 UTC 2005 

> Quoting Barry Margolin <barmar at alum.mit.edu>:
> 
> > Glue records are the A records that are related to NS records.  So your
> > question doesn't really make sense.  I think what you're asking is "Is
> > the A record for the target of an MX supposed to be returned with an MX
> > query?"  The answer to that is "yes" -- if the relevant A records are in
> > the server's memory (either authoritative data or cache) they should be
> > included in the Additional Records section of the response.  RFC 1035
> > section 3.3.9 says: "MX records cause type A additional section
> > processing for the host specified by EXCHANGE."
> >
> 
> This is exactly what I thought. I know I didn't explain it correctly at all.
> 
> > They're probably not asking your servers, they're just using the
> > additional records that your servers are sending along with the MX
> > response.
> 
> That makes sense but they should then go out and validate the data (go out an
> d
> verify that the glue record is correct).
> Let's say for instance I had the domain "example.com"
> Then if I had the record:
> www.example.com.  900000    IN      CNAME   www.yahoo.com.
> 
> Then if I also had the domain "yahoo.com" configured and point "www.yahoo.com
> "
> to any IP that I owned.
> 
> Are we saying that my version of "www.yahoo.com" would then be cached in the
> resolving name server?  Wouldn't that just poison the Internet?
> Anyone could do the same thing with banks and ecommerce sites.
> 
> I would think that the resolving name server would have enough knowledge to g
> o
> out and resolve "www.yahoo.com" from the start and not trust a glue record.
> And this appears to be the case for the versions of bind that I tested and al
> so
> dnscache.
> But there are some resolving name servers that are incorrect in that they do 
> use
> the glue record all of the time.
> 
> -Steve

	Well w/ BIND 9 you can prevent the overridden record leaking
	by setting a appropriate allow-query acl.

	e.g.
		zone "secureserver.net" {
			type master;
			file "secureserver.net";
			allow-query { localhost; };
		};

	Mark

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list