Wrong glue records entered.
Mark Andrews
Mark_Andrews at isc.org
Tue Jan 18 04:59:56 UTC 2005
> Quoting Barry Margolin <barmar at alum.mit.edu>:
>
> > Glue records are the A records that are related to NS records. So your
> > question doesn't really make sense. I think what you're asking is "Is
> > the A record for the target of an MX supposed to be returned with an MX
> > query?" The answer to that is "yes" -- if the relevant A records are in
> > the server's memory (either authoritative data or cache) they should be
> > included in the Additional Records section of the response. RFC 1035
> > section 3.3.9 says: "MX records cause type A additional section
> > processing for the host specified by EXCHANGE."
> >
>
> This is exactly what I thought. I know I didn't explain it correctly at all.
>
> > They're probably not asking your servers, they're just using the
> > additional records that your servers are sending along with the MX
> > response.
>
> That makes sense but they should then go out and validate the data (go out an
> d
> verify that the glue record is correct).
> Let's say for instance I had the domain "example.com"
> Then if I had the record:
> www.example.com. 900000 IN CNAME www.yahoo.com.
>
> Then if I also had the domain "yahoo.com" configured and point "www.yahoo.com
> "
> to any IP that I owned.
>
> Are we saying that my version of "www.yahoo.com" would then be cached in the
> resolving name server? Wouldn't that just poison the Internet?
> Anyone could do the same thing with banks and ecommerce sites.
>
> I would think that the resolving name server would have enough knowledge to g
> o
> out and resolve "www.yahoo.com" from the start and not trust a glue record.
> And this appears to be the case for the versions of bind that I tested and al
> so
> dnscache.
> But there are some resolving name servers that are incorrect in that they do
> use
> the glue record all of the time.
>
> -Steve
Well w/ BIND 9 you can prevent the overridden record leaking
by setting a appropriate allow-query acl.
e.g.
zone "secureserver.net" {
type master;
file "secureserver.net";
allow-query { localhost; };
};
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list