[dns-operations] Concerns regarding the ICANN/IANA DNS vulnerability checker

Matthew Pounsett matt.pounsett at cira.ca
Wed Aug 20 06:19:02 UTC 2008


On 20-Aug-2008, at 00:36 , Paul Vixie wrote:

>>>> 	The cache contents are, by default, not returned by later
>>>> 	version of BIND 9 except to directly connected clients.
>>>
>>> what does "directly connected" mean in this context?
>>
>> 	Matches the built in acls localnets; or localhost;
>
> so if BIND9 has to go searching around for the A RR for some NS in  
> order
> to send a NOTIFY, and then later it has to answer with a referral that
> includes that NS, will it only include the A RR (that it fetched for  
> the
> NOTIFY) in the additional data section if the query source matches the
> built-in ACLs localnets or localhost?

This is perhaps getting a bit BIND-specific for dns-ops, but at what  
point did the behaviour change?  In the 9.3 branch, authority servers  
will hand out cached NOTIFY lookups to queriers outside of localnets. 
  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20080820/4824099a/attachment.sig>


More information about the dns-operations mailing list