[dns-operations] "NS .", the attack of the month?

Stefan Schmidt stefan.schmidt at freenet.ag
Sun Jan 25 01:08:38 UTC 2009


On Sat, Jan 24, 2009 at 06:48:31PM -0600, Jeremy C. Reed wrote:
> > Answering with REFUSED or SERVFAIL is still better than not answering at
> > all which, if deployed in large scale, would would most likely cause all
> > recursive servers to cripple under the load of outstanding queries to
> > authoritative servers.
> 
> What outstanding queries? Answer to who?

Hmm bad thinking on my side, authoritatives should not be getting too
much queries for zones they are not configured/delegated for.

To answer your question that would be lame delegated auth servers then.
Yes, i use the term lame delegation to depict any delegation that is not
'perfect'.

Anyway as i myself was reminded of this by a friend let me remind you of
the following:

http://doc.powerdns.com/powerdns-advisory-2008-02.html

I don't really remember the kind of spoofing it was back then but apparently
not answering still has bad implications.

	Stefan
-- 
The war ain't over til I say it's over. This is my picture.
- Wag the Dog



More information about the dns-operations mailing list