North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: DNS cache poisoning attacks -- are they real?
* Brad Knowles: > At 1:08 PM +0200 2005-03-29, Florian Weimer wrote: > >> BIND accepts non-authoritative answers if their additional section >> looks a bit like a referral. I don't tink that this check is >> deliberately lax, but stricter checks are simply harder to do on this >> particular code path. > > BIND explicitly assumes that there might be upstream nameservers > you may talk to that may be answering from cache. Really? I can't get it to work reliably. Can you share an example where delegation to a non-authoritative caching resolver works, without the need for special seeding of the caching resolver? Your posts to firstname.lastname@example.org aren't distributed by the mailing list, BTW.