DNS contamination

Dima Volodin dvv at sprint.net
Thu Jan 23 20:51:57 UTC 1997

Ignoring additional records works pretty well for me.

Otherwise, the beast is out there, and we cannot do much except waiting
for it to die slowly.

For those who wonder what is so special about these addresses - they
were SprintLink's DNS servers' around Wilhelm the Conqueror's time or
shortly after that. Apparently, some clueless admins have these
addresses as bogus glue records in their zones and use vintage named
versions that allow them to do that. Once leaked out in additional
sections of DNS responses, these bogus records end up in other servers'
caches, which in turn try to use these addresses to resolve queries for
names for which SprintLink's servers are claimed to be authoritative.
In two hours about 400 servers tried to use hrn-cat-2.sprintlink.net (a
Catalyst something) as a name server.

Paul A Vixie writes:
> I have done, algorithmically, everything that can be done at that level.
> At this point we are going to have to wait for DNSSEC or some other wire
> protocol change.  If you have suggestions to the contrary I would like
> to hear them.  (And if you have money to pay for BIND improvements I would
> like to hear about that, too.)

More information about the NANOG mailing list