North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning- RELEASED

  • From: Steve Bertrand
  • Date: Sun Jul 27 21:38:30 2008

Gadi Evron wrote:
On Thu, 24 Jul 2008, Martin Hannigan wrote:

I personally know several folks from within and wayyy from outside the
DNS
world who discovered this very out there and obvious issue and worked
hard
to try and contact the operators. Those that haven't fixed it yet,
likely
won't if all thing remain even.


I don't know that a failure to act immediately is indicative of ignoring the problem. Not to defend AT&T or any other provider, but it's not as simple as rolling out a patch.

Marty, are we talking of the same problem? I am talking about recursion enabled in bind?

I'm confused by the last sentence. I don't understand if you are asking a question, or stating that recursion should be disabled.


If it is a statement, then you must mean that ops should disable recursion, and enable forwarding for name resolution, correct? In this case, its been proven that having an upstream forward that is 'broken' will have the exact same effect as having a broken recursive server.

My apologies if I've misunderstood your comment.

Steve