[dns-operations] Concerns regarding the ICANN/IANA DNS vulnerability checker

Mark Andrews Mark_Andrews at isc.org
Wed Aug 20 03:13:51 UTC 2008


> > 	Can we please stop say just "BIND 9".  Different versions
> > 	of "BIND 9" exibit different behaviour and the defaults for
> > 	later version mitigated these issues.  This is as bad as
> > 	say BIND exibits some behavior.
> 
> for all practial purposes, there is no longer any BIND other than 9.

	I was just worried about the lack of specifictivity.

> > 	The cache contents are, by default, not returned by later
> > 	version of BIND 9 except to directly connected clients.
> 
> what does "directly connected" mean in this context?

	Matches the built in acls localnets; or localhost;
 
> > 	Named has to do view specific lookups of addresses for
> > 	NOTIFY so it can't off load to the system resolver.
> 
> specific in what way?  the reason BIND4 and BIND8 didn't use the system
> resolver for looking up NOTIFY names is that there were too many assumptions
> in libbind that made it impossible go make gethostbyname() work from within
> the server.

	View specific name -> address mappings.
 
> > 	Warning about master/slave zones w/ recursion will just
> > 	result in yet another knob that just about everyone will
> > 	have to set to shut up the noisy log message as master/slave
> > 	zone are a good way to graft on local name spaces on recursive
> > 	nameservers.  This sort of thing is very common.
> 
> you're right of course.
> 
> > 	TLD operators should be professionals that should be capable
> > 	of correctly configuring the servers they operate.  If you
> > 	are getting bad answers from TLD servers you really should
> > 	be looking at how those operators are choose and under what
> > 	rules they are running.  Changing named to issue a warning
> > 	is unlikely to have any effect as they already are not
> > 	upgrading and are not applying best practice.
> 
> i wasn't thinking of this for TLD operators, but for the rest of us.

	The defaults give reasonable behaviour for the rest of us
	running authoritative only or mixed servers when we upgrade
	to BIND 9.4.1 or later.  Potentially recursive clients can
	see the cache, everyone else can't.  Potentially recursive
	clients default to directly connected clients.

	If you are trying to setup a authoritative only server the
	cache is practically not visible.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the dns-operations mailing list