[dns-operations] Concerns regarding the ICANN/IANA DNS vulnerability checker

Mark Andrews Mark_Andrews at isc.org
Wed Aug 20 02:18:41 UTC 2008

	Can we please stop say just "BIND 9".  Different versions
	of "BIND 9" exibit different behaviour and the defaults for
	later version mitigated these issues.  This is as bad as
	say BIND exibits some behavior.

	The cache contents are, by default, not returned by later
	version of BIND 9 except to directly connected clients.

	Named has to do view specific lookups of addresses for
	NOTIFY so it can't off load to the system resolver.

	Warning about master/slave zones w/ recursion will just
	result in yet another knob that just about everyone will
	have to set to shut up the noisy log message as master/slave
	zone are a good way to graft on local name spaces on recursive
	nameservers.  This sort of thing is very common.

	TLD operators should be professionals that should be capable
	of correctly configuring the servers they operate.  If you
	are getting bad answers from TLD servers you really should
	be looking at how those operators are choose and under what
	rules they are running.  Changing named to issue a warning
	is unlikely to have any effect as they already are not
	upgrading and are not applying best practice.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list