Date: Mon, 16 Jul 2001 20:29:13 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Matt Dillon <dillon@earth.backplane.com> Cc: Len Conrad <LConrad@Go2France.com>, <freebsd-hackers@FreeBSD.ORG> Subject: Re: Weird named problem - IN A for nameservers being lost! Message-ID: <20010716201723.P74787-100000@achilles.silby.com> In-Reply-To: <200107170114.f6H1E5P33636@earth.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 16 Jul 2001, Matt Dillon wrote: > I don't think that's it... if you look at the dumps, there were no timeouts > in the 2-day range. The original glue NS records (from exodus) had already > been completely replaced by the NS record from their zone. Everything in > their zones is already synchronized. > > -Matt If I recall correctly, what you're describing above *causes* the problem. Their NSes have to be synced with the roots. I tried searching the archives, and I can't find the messages talking about the topic. I did find djb's page with his rants about dns breakages, and at the end of one he mentions: "Beware that, because of the ``credibility'' rules described above, the NS records from the child servers must include the NS records from the parent. Otherwise an attacker can break BIND's access to the child servers." This is from: http://cr.yp.to/djbdns/notes.html So, there's something to it, though I no longer remember exactly why. Read through that page, he seems to be trying to explain the problem. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010716201723.P74787-100000>