North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: how to protect name servers against cache corruption

  • From: Karl Denninger
  • Date: Tue Jul 22 22:22:23 1997

On Tue, Jul 22, 1997 at 01:24:59PM -0700, Paul A Vixie wrote:
> a BIND 4.9.6 or 8.1.1 server is immune.  so, you could upgrade.  to so do,
> see http://www.isc.org/isc/ which will lead you to ftp://ftp.isc.org/isc/.
> (the root name servers are all running modern software at this point.)
> 
> alternic's corruption works by locating authoritative name servers via the
> "NS RR"'s published in various zones.  if you run these as authoritative-
> only (recursion disabled) then they will never fetch any data from anywhere.
> (the root name servers are configured this way, for example.)  the downside
> is that you can't list such nameservers in your "resolv.conf" files or PC
> equivilents (Control Panel\\Networking\\TCP IP Settings, or some such rot.)
> this means you need more name servers if you separate recursive from non-
> recursive.

Well, Alternic's persona-non-grata (Eugene) is about to find himself in a
LOT of hot water for what he's done.

I have been told by a media figure who called me that the civil charges, 
including a petition to seize *all* of his hardware, are being read 
tomorrow.  I expect that there may be criminal issues involved here 
as well.

Playing "hahaha, www.biteme.eugene resolves now" is a childish prank of 
no significance.  Hijacking someone else's web site using the same trick, 
however, is an entirely different thing and is no laughing matter.

I'm with Paul on this one (see, Paul, we can agree on something once in a
while :-)  -- update your code to either 4.9.6 or (preferrably) 8.1.1

--
-- 
Karl Denninger ([email protected])| MCSNet - The Finest Internet Connectivity
http://www.mcs.net/~karl     | T1's from $600 monthly to FULL DS-3 Service
			     | 99 Analog numbers, 77 ISDN, http://www.mcs.net/
Voice: [+1 312 803-MCS1 x219]| NOW Serving 56kbps DIGITAL on our analog lines!
Fax:   [+1 312 803-4929]     | 2 FULL DS-3 Internet links; 400Mbps B/W Internal