[dns-operations] Concerns regarding the ICANN/IANA DNS vulnerability checker

Paul Vixie vixie at isc.org
Wed Aug 20 02:42:02 UTC 2008

> 	Can we please stop say just "BIND 9".  Different versions
> 	of "BIND 9" exibit different behaviour and the defaults for
> 	later version mitigated these issues.  This is as bad as
> 	say BIND exibits some behavior.

for all practial purposes, there is no longer any BIND other than 9.

> 	The cache contents are, by default, not returned by later
> 	version of BIND 9 except to directly connected clients.

what does "directly connected" mean in this context?

> 	Named has to do view specific lookups of addresses for
> 	NOTIFY so it can't off load to the system resolver.

specific in what way?  the reason BIND4 and BIND8 didn't use the system
resolver for looking up NOTIFY names is that there were too many assumptions
in libbind that made it impossible go make gethostbyname() work from within
the server.

> 	Warning about master/slave zones w/ recursion will just
> 	result in yet another knob that just about everyone will
> 	have to set to shut up the noisy log message as master/slave
> 	zone are a good way to graft on local name spaces on recursive
> 	nameservers.  This sort of thing is very common.

you're right of course.

> 	TLD operators should be professionals that should be capable
> 	of correctly configuring the servers they operate.  If you
> 	are getting bad answers from TLD servers you really should
> 	be looking at how those operators are choose and under what
> 	rules they are running.  Changing named to issue a warning
> 	is unlikely to have any effect as they already are not
> 	upgrading and are not applying best practice.

i wasn't thinking of this for TLD operators, but for the rest of us.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the dns-operations mailing list