[dns-operations] Concerns regarding the ICANN/IANA DNS vulnerability checker

Paul Vixie vixie at isc.org
Tue Aug 19 18:21:44 UTC 2008


> > Yes, and whether this information should be used for anything else but
> > sending NOTIFY messages, is arguable.
> 
> Hmm, this is an interesting point.  We normally talk about "cache" for
> name servers, but Peter's remarks seems to suggest thinking about
> different kinds of caches, and the rules about data from one getting
> into the other(s).  Is this a distinction we want to make, and is it
> compatible with the current RFCs?

from the point of view of the NOTIFY initiator, the ADNS is just a normal
dns stub which makes gethostbyname() calls against a configured RDNS.  in
BIND4 and BIND8 i implemented it through the fetch-glue logic, but years
and miles and packets since that time have shown that fetch-glue is a bad
idea and NOTIFY should use the nameserver host's /etc/resolv.conf or equiv
to do its name->address translations.  RFC 1996 should be updated to make
this unambiguous.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the dns-operations mailing list