Another way to find the primary server for a zone
Brad Knowles
brad.knowles at skynet.be
Fri May 11 07:11:22 UTC 2001
At 9:35 AM +1000 5/11/01, Mark.Andrews at nominum.com wrote:
> BIND 9 does support
> forwarding, if you enable it, and returns NOTIMP if you
> don't enable it. The servers use their own knowledge of
> the zone transfer graph to find the primary. Looking at
> th MNAME is just an optimisation.
Cool!
> We only recommend turning on forwarding if and only if the
> primary is using only TSIG or some other cryptographic
> means to verify the authenticity of the update request.
> The original IP address is masked by the slave so you can't
> trust the IP address in this situation, especially given
> how easy it is to forge a UDP datagram.
Right. The slave should just basically be able to re-transmit
the original packet (with TSIG) unmodified, but to the correct
upstream server, right?
Is there any reason why you might not want to enable this type of
forwarding?
> Note this is real forwarding not what is done when you use
> a forwarder in named. The later strips off TSIG's before
> generating a new query to the forwarder which may have a
> different TSIG.
If this is different, then how would you enable it?
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list