DNS cache problem

Andris Kalnozols andris at hpl.hp.com
Mon Dec 3 22:22:32 UTC 2001 

Speaking of possible corruption, your ISP is running a
vulnerable version of BIND.  An upgrade to 8.2.5 should
be able to done with little or no change to their
infrastructure.

h2n -V zyvex.com

Verifying zone data for domain 'zyvex.com.':
Getting NS RRset...
Transferring zone... (from 'DFWNS2.AIRBAND.NET' [206.50.26.196])
Parsing zone data... (NS BIND version: 8.2.2-P7)
Performing in-zone and external lookups...

Warning: the nameserver supplying the zone data is running a version
         of BIND that is vulnerable to the following bug(s):
 infoleak & tsig.
 See < http://www.isc.org/products/BIND/bind-security.html > and
     < http://www.cert.org/advisories/CA-2001-02.html > for details.

Warning: found MX RR(s) pointing to the following problematic domain name(s):
 mail.zyvex.com.                        [CNAME record] 


Andris Kalnozols


> I get the new IP (I assume, it's not 64.241.222.34 at least):
> 
> > zyvex.com.		172800	IN	NS	DFWNS1.AIRBAND.NET.
> > zyvex.com.		172800	IN	NS	DFWNS2.AIRBAND.NET.
> > ;; Received 118 bytes from 192.42.93.30#53(G.GTLD-SERVERS.NET) in 261 ms
> >
> > zyric.zyvex.com.	86400	IN	A	216.138.97.43
> > zyvex.com.		86400	IN	NS	dfwns1.airband.net.
> > zyvex.com.		86400	IN	NS	dfwns2.airband.net.
> > ;; Received 143 bytes from 206.50.26.195#53(DFWNS1.AIRBAND.NET) in 181 ms
> 
> Probably just a caching issue. Depending on how things were set up
> before it may take a while before it times out.
> 
> And if the SOA record was corrupt, why was the zone even loaded? And
> no, the SOA record does not specify the cache time; that is a property
> of each individual RRset. The SOA record's last field is the
> _negative_ TTL.
> 
> 
> Michael Kjörling
> 
> 
> On Dec 3 2001 15:40 -0600, Mike Weller wrote:
> 
> > Before the change, I polled a dozen nameservers around the world
> > for zyric.zyvex.com:
> > nslookup zyric.zyvex.com  140.221.9.6
> > nslookup zyric.zyvex.com 141.217.90.3
> > nslookup zyric.zyvex.com 141.217.1.13
> > nslookup zyric.zyvex.com 141.217.1.15
> > nslookup zyric.zyvex.com 206.191.74.19
> > nslookup zyric.zyvex.com 24.226.1.11
> >
> > The change was made at 12pm cst today (Monday).
> > 3 hours later, all nameservers still report the old IP
> > (64.241.222.34), despite the minimum TTL of 1 hour.
> >
> > My question to you DNS experts is, if an SOA record is corrupt (and
> > thus, can't read the cache time) how long does the nameserver cache
> > IPs for?  Is there a way to poll "bind" to determine what the
> > cache times are for any particular IP or domain?
> >
> > I hope it's not too long, because our current ISP is about to drop
> > our service!
> >
> > Thanks for any help you can provide.
> >
> > -Mike

More information about the bind-users mailing list