[dns-operations] Concerns regarding the ICANN/IANA DNS vulnerability checker

Mohsen Souissi mohsen.souissi at nic.fr
Tue Aug 19 17:09:16 UTC 2008

My 2 cents:

 On 19 Aug, Florian Weimer wrote:
 | * Roy Arends:
 | > Another reason, and this is not that known, is that the
 | > authoritative server needs to notify others at times, and needs to
 | > resolve and cache those addresses, despite its configuration.
 | Ouch, thanks for sharing this information.  With BIND 9, this also
 | happens for a view which is explicitedly configured as "recursion no".
 | Is there any particular reason why BIND cannot use the configured
 | system resolver to locate the server to send notifies to?

==> I guess it does use the configured system resolver but I don't
 think that's the point. The point is that it caches that data,
 probably for optimization reasons (for further NOTIFYs to send). Btw
 RFC 1996 does not seem to cover that detail.

 | Can this
 | behavior be changed through configuration, so that BIND acts as a true
 | authoritative-only server?

==> Some options are available (for purists? :-)) in BIND 9:

additional-from-cache no;      // suggested by Ondrej in private

allow-query-cache { none; };   // As I mentioned before and which (BIND 9.4+)

I don't know how other implementations do it.


More information about the dns-operations mailing list