cTLD and DNS upgrade
Danny Mayer
mayer at gis.net
Tue Jul 5 16:17:35 UTC 2005
Peter Dambier wrote:
> Brad Knowles wrote:
>
>>At 12:15 PM +0200 2005-07-05, Peter Dambier wrote:
>>
>>
>>
>>>Seeing in practice how cache-poisoning even root-poisoning accidently
>>>works I am glad I can prevent this with mirroring all important zones
>>>on my resolver. I have seen banks and agencies do the same and exchange
>>>zone files among them happyly.
>>
>>
>> In other words, you haven't done any tests. You found something
>>that may or may not have worked in one specific instance, and you are
>>blindly applying it to everything.
>
>
> I could reproduce it easyly:
>
> 001 For every domain (X) in the root zone
> 002
> 003 "dig (X) +nssearch"
> 004
> 005 Done
>
> After that you could be sure I had the "wrong" root-servers in my
> cache. That was the time when '.KE' did not resolve in the ICANN
> root but on the Public-Root it did.
>
> ; <<>> DiG 9.1.3 <<>> @204.61.216.7 ke axfr
> ;; global options: printcmd
>
> ke. SOA mzizi.kenic.or.ke. hostmaster.kenic.or.ke. 2004053023 ...
>
> ke. NS NS.ANYCAST.kenic.or.ke.
> ke. NS NS1.COZA.NET.ZA.
> ke. NS mzizi.kenic.or.ke.
> #.ke. NS NS1.SWIFTKENYA.COM.
> #.ke. NS NS2.SWIFTKENYA.COM.
>
> #NS1.SWIFTKENYA.COM.ke. A 80.240.192.7
> #NS2.SWIFTKENYA.COM.ke. A 64.49.144.5
> NS.ANYCAST.KENIC.OR.KE.ke. A 204.61.216.7
> MZIZI.KENIC.OR.KE.ke. A 198.32.67.9
>
> ke. SOA mzizi.kenic.or.ke. hostmaster.kenic.or.ke. 2004053023 ...
>
> ;; Query time: 199 msec
> ;; SERVER: 204.61.216.7#53(204.61.216.7)
> ;; WHEN: Tue Jul 5 16:11:40 2005
> ;; XFR size: 12 records
>
>
# is an illegal character here. They were probably trying to comment out
the line thinking that it was comment character. The fact that you
received that character in the transfer means that the nameserver being
used accepted it.
Danny
More information about the bind-users
mailing list