[dns-operations] DNS Security Advisory (infinite recursion)
Tony Finch
dot at dotat.at
Tue Dec 9 10:43:43 UTC 2014
I just saw this bit in RFC 1034 page 34/35
Step 2 looks for a name server to ask for the required data. [...] Set up
their addresses using local data. It may be the case that the addresses
are not available. The resolver has many choices here; the best is to
start parallel resolver processes looking for the addresses while
continuing onward with the addresses which are available. Obviously, the
design choices and options are complicated and a function of the local
host's capabilities. The recommended priorities for the resolver designer
are:
1. Bound the amount of work (packets sent, parallel processes
started) so that a request can't get into an infinite loop or
start off a chain reaction of requests or queries with other
implementations EVEN IF SOMEONE HAS INCORRECTLY CONFIGURED
SOME DATA.
... So I guess Jeeves wasn't vulnerable to this bug?
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Biscay, Southeast Fitzroy: North or northwest 5, backing west or northwest 5
to 7. Rough or very rough. Rain later. Good, occasionally moderate later.
More information about the dns-operations
mailing list