From owner-freebsd-hackers  Mon Jul 16 18:32:49 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39])
	by hub.freebsd.org (Postfix) with ESMTP id E210537B42B
	for <freebsd-hackers@FreeBSD.ORG>; Mon, 16 Jul 2001 18:30:04 -0700 (PDT)
	(envelope-from silby@silby.com)
Received: (qmail 23813 invoked by uid 1000); 17 Jul 2001 01:29:13 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 17 Jul 2001 01:29:13 -0000
Date: Mon, 16 Jul 2001 20:29:13 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Matt Dillon <dillon@earth.backplane.com>
Cc: Len Conrad <LConrad@Go2France.com>, <freebsd-hackers@FreeBSD.ORG>
Subject: Re: Weird named problem - IN A for nameservers being lost!
In-Reply-To: <200107170114.f6H1E5P33636@earth.backplane.com>
Message-ID: <20010716201723.P74787-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


On Mon, 16 Jul 2001, Matt Dillon wrote:

>     I don't think that's it... if you look at the dumps, there were no timeouts
>     in the 2-day range.  The original glue NS records (from exodus) had already
>     been completely replaced by the NS record from their zone.  Everything in
>     their zones is already synchronized.
>
> 						-Matt

If I recall correctly, what you're describing above *causes* the problem.
Their NSes have to be synced with the roots.

I tried searching the archives, and I can't find the messages talking
about the topic.  I did find djb's page with his rants about dns
breakages, and at the end of one he mentions:

"Beware that, because of the ``credibility'' rules described above, the NS
records from the child servers must include the NS records from the
parent. Otherwise an attacker can break BIND's access to the child
servers."

This is from: http://cr.yp.to/djbdns/notes.html

So, there's something to it, though I no longer remember exactly why.
Read through that page, he seems to be trying to explain the problem.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message