[dns-operations] How Stack Overflow plans to survive the next DNS attack

Paul Vixie vixie at tisf.net
Wed Jan 11 20:35:05 UTC 2017

On Wednesday, January 11, 2017 9:28:36 AM PST Jared Mauch wrote:
> > NOTIFY fixed this problem 20 years ago.
> > 
> I generally agree, but there is some nuance here, eg: if I want to reset my
> serial, NOTIFY is of no help.

actually it is, it's just not well documented. given $wrong and $right, where $wrong > $right using serial-number arithmetic as defined for TCP sequence numbers, you do this:

step 1: set serial = $wrong + 0x7fffffff, send notify, observe transfer
step 2: set serial = $right, send notify, observe transfer

obviously this depends on $wrong - $right < 0x80000000, but that's usually the case. if it's not, then more steps or different offsets may be needed in "step 1" above.

probably this deserves an RFC, perhaps one that also clarified other aspects of NOTIFY.

note that there was an older bind8 trick involving "set serial = 0", which is now long-dead.

P. Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170111/80bf7275/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: .vcf
Type: text/vcard
Size: 268 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170111/80bf7275/attachment-0001.vcf>

More information about the dns-operations mailing list