[dns-operations] Concerns regarding the ICANN/IANA DNS vulnerability checker

Paul Vixie vixie at isc.org
Tue Aug 19 18:21:44 UTC 2008

> > Yes, and whether this information should be used for anything else but
> > sending NOTIFY messages, is arguable.
> Hmm, this is an interesting point.  We normally talk about "cache" for
> name servers, but Peter's remarks seems to suggest thinking about
> different kinds of caches, and the rules about data from one getting
> into the other(s).  Is this a distinction we want to make, and is it
> compatible with the current RFCs?

from the point of view of the NOTIFY initiator, the ADNS is just a normal
dns stub which makes gethostbyname() calls against a configured RDNS.  in
BIND4 and BIND8 i implemented it through the fetch-glue logic, but years
and miles and packets since that time have shown that fetch-glue is a bad
idea and NOTIFY should use the nameserver host's /etc/resolv.conf or equiv
to do its name->address translations.  RFC 1996 should be updated to make
this unambiguous.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the dns-operations mailing list