[dns-operations] Concerns regarding the ICANN/IANA DNS vulnerability checker
Mark_Andrews at isc.org
Wed Aug 20 02:18:41 UTC 2008
Can we please stop say just "BIND 9". Different versions
of "BIND 9" exibit different behaviour and the defaults for
later version mitigated these issues. This is as bad as
say BIND exibits some behavior.
The cache contents are, by default, not returned by later
version of BIND 9 except to directly connected clients.
Named has to do view specific lookups of addresses for
NOTIFY so it can't off load to the system resolver.
Warning about master/slave zones w/ recursion will just
result in yet another knob that just about everyone will
have to set to shut up the noisy log message as master/slave
zone are a good way to graft on local name spaces on recursive
nameservers. This sort of thing is very common.
TLD operators should be professionals that should be capable
of correctly configuring the servers they operate. If you
are getting bad answers from TLD servers you really should
be looking at how those operators are choose and under what
rules they are running. Changing named to issue a warning
is unlikely to have any effect as they already are not
upgrading and are not applying best practice.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations