TLD servers with recursion was Re: Exploit for DNS Cache Poisoning- RELEASED

Gadi Evron ge at
Fri Jul 25 01:05:29 UTC 2008

On Thu, 24 Jul 2008, Steve Bertrand wrote:
> Gadi Evron wrote:
>> On Thu, 24 Jul 2008, Martin Hannigan wrote:
>>>> I personally know several folks from within and wayyy from outside the
>>>> DNS
>>>> world who discovered this very out there and obvious issue and worked
>>>> hard
>>>> to try and contact the operators. Those that haven't fixed it yet,
>>>> likely
>>>> won't if all thing remain even.
>>> I don't know that a failure to act immediately is indicative of ignoring
>>> the problem. Not to defend AT&T or any other provider, but it's not as
>>> simple as rolling out a patch.
>> Marty, are we talking of the same problem? I am talking about recursion 
>> enabled in bind?
> I'm confused by the last sentence. I don't understand if you are asking a 
> question, or stating that recursion should be disabled.
> If it is a statement, then you must mean that ops should disable recursion, 
> and enable forwarding for name resolution, correct? In this case, its been 
> proven that having an upstream forward that is 'broken' will have the exact 
> same effect as having a broken recursive server.
> My apologies if I've misunderstood your comment.

We are talking about ccTLD NS.


More information about the NANOG mailing list