TLD servers with recursion was Re: Exploit for DNS Cache Poisoning- RELEASED

Gadi Evron ge at linuxbox.org
Thu Jul 24 20:05:29 CDT 2008


On Thu, 24 Jul 2008, Steve Bertrand wrote:
> Gadi Evron wrote:
>> On Thu, 24 Jul 2008, Martin Hannigan wrote:
>>> 
>>>> I personally know several folks from within and wayyy from outside the
>>>> DNS
>>>> world who discovered this very out there and obvious issue and worked
>>>> hard
>>>> to try and contact the operators. Those that haven't fixed it yet,
>>>> likely
>>>> won't if all thing remain even.
>>>> 
>>> 
>>> I don't know that a failure to act immediately is indicative of ignoring
>>> the problem. Not to defend AT&T or any other provider, but it's not as
>>> simple as rolling out a patch.
>> 
>> Marty, are we talking of the same problem? I am talking about recursion 
>> enabled in bind?
>
> I'm confused by the last sentence. I don't understand if you are asking a 
> question, or stating that recursion should be disabled.
>
> If it is a statement, then you must mean that ops should disable recursion, 
> and enable forwarding for name resolution, correct? In this case, its been 
> proven that having an upstream forward that is 'broken' will have the exact 
> same effect as having a broken recursive server.
>
> My apologies if I've misunderstood your comment.

We are talking about ccTLD NS.

 	Gadi.




More information about the NANOG mailing list