BIND and TCP
Danny Mayer
mayer at gis.net
Sun Sep 25 04:04:03 UTC 2005
Peter Dambier wrote:
> Indeed more and more people running their own DNS try to AXFR zones they
> need regularly. Having a copy of a zone you can see when somebody tries
> to trick your machine to ask for a poisoned page.
>
You avoid that by specifying the allow-transfer option and list the
addresses allowed to do this.
> DNSSEC would help too but with most of the root-servers beeing multicasted
> there will never be DNSSEC.
>
The root-servers and for that matter no BIND based nameserver uses
multicast, it doesn't make a lot of sense. You probably mean anycast and
that is something totally different. The F-root for example is
replicated in something like 20 countries. Maybe more, I don't keep up
with that info.
>
>
> Seeing not many servers able to reply using EDNS0 mostly nobody uses EDNS0.
> Maybe they have the wrong version of bind or no bind at all
> or even windows :)
>
As more recent versions of nameservers are deployed there are more
nameservers that support EDNS0. Like anything else it takes years to
upgrade all of the servers. It doesn't happen by itelf.
> Maybe it is people like Michael configuring firewalls, why EDNS0 does not
> work.
>
Some firewall are simply broken.
> I hope for EDNS9 someday to enable AXFR via UDP :)
>
It won't happen, it's impractical.
Danny
>
> Kind regards,
> Peter and Karin
>
>
More information about the bind-users
mailing list