[dns-operations] Concerns regarding the ICANN/IANA DNS vulnerability checker

Paul Vixie vixie at isc.org
Wed Aug 20 04:36:08 UTC 2008 

> > > 	The cache contents are, by default, not returned by later
> > > 	version of BIND 9 except to directly connected clients.
> > 
> > what does "directly connected" mean in this context?
> 
> 	Matches the built in acls localnets; or localhost;

so if BIND9 has to go searching around for the A RR for some NS in order
to send a NOTIFY, and then later it has to answer with a referral that
includes that NS, will it only include the A RR (that it fetched for the
NOTIFY) in the additional data section if the query source matches the
built-in ACLs localnets or localhost?

> > > 	Named has to do view specific lookups of addresses for
> > > 	NOTIFY so it can't off load to the system resolver.
> > 
> > specific in what way?  the reason BIND4 and BIND8 didn't use the system
> > resolver for looking up NOTIFY names is that there were too many
> > assumptions in libbind that made it impossible go make gethostbyname()
> > work from within the server.
> 
> 	View specific name -> address mappings.

ah, yes.  i've been brought up short on that one before now.  it's a pity
(or just a bug, really) if these mappings are also visible in query results,
whether as answers, or as glue.  servers acting as NOTIFY initiators ought
not mix what they learn from tracking down nameserver addresses into what
they return as on-the-wire results.

> > i wasn't thinking of this for TLD operators, but for the rest of us.
> 
> 	The defaults give reasonable behaviour for the rest of us
> 	running authoritative only or mixed servers when we upgrade
> 	to BIND 9.4.1 or later.  Potentially recursive clients can
> 	see the cache, everyone else can't.  Potentially recursive
> 	clients default to directly connected clients.
> 
> 	If you are trying to setup a authoritative only server the
> 	cache is practically not visible.

given that the defaults are still that recursion is on even if there are
authority zones, or that many people will run this way on purpose since it's
convenient for them, i think a warning is due.  recursion and authority don't
mix well.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the dns-operations mailing list