[dns-operations] Concerns regarding the ICANN/IANA DNS vulnerability checker
Simon Waters
simonw at zynet.net
Tue Aug 19 11:25:44 UTC 2008
On Tuesday 19 August 2008 11:30:26 Mohsen Souissi wrote:
>
> For example:
>
> - "dig @[fz].nic.de de ns"
> - "dig @ca0[1-6].cira.ca ca ns"
> - "dig @[a-m].gtld-servers.net net ns"
>
> all have the same behavior as a.nic.fr (if I'm not wrong) as they are
> not authoritative for the child zone in which sits the NS. The list of
> examples may be quite long I guess, that's not the point.
The TTL for the additional results from A.NIC.FR decrease.
The TTL for the additional results from f.nic.de don't (although I get
different results at different times from f.nic.de, so I assume it is more
than one servers - version queries suggest something similar).
So I doubt the configurations are identical.
Let us call them superficially similar ;)
> Is that considered a bad idea?
>
> Please justify whether the answer is YES or NO.
Can your cached data be corrupted by spoofing?
If "yes" then it is a bad idea.
As to whether supplying additional answers that are "nothing to do with you"
is a good idea; I'd think most are ignored (burning bandwidth to no avail,
and when they aren't being ignored they risk being wrong). I think a lean DNS
config is probably the thing.
I note my DNS servers serve additional data from other zones they are
authoritative for, so I probably ought to stop that as well for similar
reasons.
More information about the dns-operations
mailing list