TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - RELEASED

Gadi Evron ge at linuxbox.org
Thu Jul 24 10:23:41 CDT 2008


On Thu, 24 Jul 2008, John Kristoff wrote:
> On Thu, 24 Jul 2008 10:06:25 +0100
> Simon Waters <simonw at zynet.net> wrote:
>
>> I checked last night, and noticed TLD servers for .VA and .MUSEUM are
>> still offering recursion amongst a load of less popular top level
>> domains.
>>
>> Indeed just under 10% of the authoritative name servers mentioned in
>> the root zone file still offer recursion.
>
> While not ideal, at least most resolvers will not go asking those
> servers for anything other than what they are authoritative for unless
> an attacker for some reason wanted to setup a long chain of poisons. The
> large, shared caching servers and all those open CPE devices are a
> much larger concern I think.

Indeed--you won't hear arguments from me on other threats, especially not 
CPE devices which I fought to bring recognition to.

But sticking to the point, TLD servers should (under most circumstances) 
be recursive. Thing is, those that are, are likely to stay that way.

I personally know several folks from within and wayyy from outside the DNS 
world who discovered this very out there and obvious issue and worked hard 
to try and contact the operators. Those that haven't fixed it yet, likely 
won't if all thing remain even.

Others I am not aware of likely did the same, withs imilar results. I 
guess we could try again.

 	Gadi.




More information about the NANOG mailing list