TLD servers with recursion was Re: Exploit for DNS Cache Poisoning- RELEASED
Gadi Evron
ge at linuxbox.org
Fri Jul 25 01:05:29 UTC 2008
On Thu, 24 Jul 2008, Steve Bertrand wrote:
> Gadi Evron wrote:
>> On Thu, 24 Jul 2008, Martin Hannigan wrote:
>>>
>>>> I personally know several folks from within and wayyy from outside the
>>>> DNS
>>>> world who discovered this very out there and obvious issue and worked
>>>> hard
>>>> to try and contact the operators. Those that haven't fixed it yet,
>>>> likely
>>>> won't if all thing remain even.
>>>>
>>>
>>> I don't know that a failure to act immediately is indicative of ignoring
>>> the problem. Not to defend AT&T or any other provider, but it's not as
>>> simple as rolling out a patch.
>>
>> Marty, are we talking of the same problem? I am talking about recursion
>> enabled in bind?
>
> I'm confused by the last sentence. I don't understand if you are asking a
> question, or stating that recursion should be disabled.
>
> If it is a statement, then you must mean that ops should disable recursion,
> and enable forwarding for name resolution, correct? In this case, its been
> proven that having an upstream forward that is 'broken' will have the exact
> same effect as having a broken recursive server.
>
> My apologies if I've misunderstood your comment.
We are talking about ccTLD NS.
Gadi.
More information about the NANOG
mailing list