From owner-freebsd-hackers  Mon Jul 16 19:21:55 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67])
	by hub.freebsd.org (Postfix) with ESMTP id 2780A37B405
	for <freebsd-hackers@FreeBSD.ORG>; Mon, 16 Jul 2001 19:21:47 -0700 (PDT)
	(envelope-from dillon@earth.backplane.com)
Received: (from dillon@localhost)
	by earth.backplane.com (8.11.4/8.11.2) id f6H2Lcj36277;
	Mon, 16 Jul 2001 19:21:38 -0700 (PDT)
	(envelope-from dillon)
Date: Mon, 16 Jul 2001 19:21:38 -0700 (PDT)
From: Matt Dillon <dillon@earth.backplane.com>
Message-Id: <200107170221.f6H2Lcj36277@earth.backplane.com>
To: Mike Silbersack <silby@silby.com>
Cc: Len Conrad <LConrad@Go2France.com>, <freebsd-hackers@FreeBSD.ORG>
Subject: Re: Weird named problem - IN A for nameservers being lost!
References:  <20010716201723.P74787-100000@achilles.silby.com>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


:
:
:On Mon, 16 Jul 2001, Matt Dillon wrote:
:
:>     I don't think that's it... if you look at the dumps, there were no timeouts
:>     in the 2-day range.  The original glue NS records (from exodus) had already
:>     been completely replaced by the NS record from their zone.  Everything in
:>     their zones is already synchronized.
:>
:> 						-Matt
:
:If I recall correctly, what you're describing above *causes* the problem.
:Their NSes have to be synced with the roots.
:
:I tried searching the archives, and I can't find the messages talking
:about the topic.  I did find djb's page with his rants about dns
:breakages, and at the end of one he mentions:
:
:"Beware that, because of the ``credibility'' rules described above, the NS
:records from the child servers must include the NS records from the
:parent. Otherwise an attacker can break BIND's access to the child
:servers."
:
:This is from: http://cr.yp.to/djbdns/notes.html
:
:So, there's something to it, though I no longer remember exactly why.
:Read through that page, he seems to be trying to explain the problem.
:
:Mike "Silby" Silbersack

    Interesting.  He describes in the section about 'expiring glue'
    creating loops in the DNS server, but doesn't mention a particular
    bug.  

    However, there's another section where he mentions something about
    bind reducing the TTL by 5% for certain credibility cases.

    Going back to my original posting... the NS is 2016 and fuji
    is 1846 = 170 = 5%.

    I think This credibility stuff reducing the TTL in named is 
    responsible for these blowups.  I am going to email the bind group
    with this whole mess to see what they have to say.

					    -Matt


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message