FW: slave on per-zone basis only?

WebReactor Networks bind at webreactor.net
Sun Feb 24 03:28:36 UTC 2002


> ...some of them may refuse to believe your TTL of zero...

Thank you.  That answers my first question.

> I certainly hope that you're not arguing that the way
> M$ do things is to be used as an example or blueprint
> for operating hosts on the internet.

I wasn't proposing anything of the sort, I asked if this was a common
problem.  "...there are servers out there in the world that you *will*
sooner or later poison..." indirectly answers my second question.

I'll get to work on redesigning my application to generate zone files and
named.conf entries.  Had I known about the potential damage I would have
designed it that way in the first place.

Thanks.  - John R. S.


----------
From: Pete Ehlke <pde at ehlke.net>
Date: Sat, 23 Feb 2002 11:05:09 -0800
To: WebReactor Networks <bind at webreactor.net>
Cc: bind-users at isc.org
Subject: Re: slave on per-zone basis only?

On Thu, Feb 21, 2002 at 08:28:18PM -0800, WebReactor Networks wrote:
> 
> Could I avoid cache poisoning by setting the TTL on the SOA record to 0?
> This should keep the bogus root SOA from getting cached.  I certainly don't
> want to be destructive.  I tried this on a test server, and "dig
> @(test-server) . soa" comes back with a zero TTL.  I wanted your opinion
> before doing this on the Production server.
> 
> Microsoft DNS installs as a root server by default; were many name servers
> vulnerable to cache poisoning for the root zone, then the problem would be
> encountered often, no?
> 
Well, this question comes up here from time to time, and it's a subject
of some irritation on the djbdns list, where one frequent poster keeps
telling people to make their servers authoritative for '.' as part of a
scheme to avoid rfc2317, which he thinks is overly complex.

AFAICT, there is no RFC that explicity says that internet connected name
servers MUST NOT or SHOULD NOT claim authority over zones that are
explicitly
delegated to other servers, but I've yet to find a situation in which
it's not an ugly hack. My original point stands: there are servers out
there in the world that you *will* sooner or later poison if you claim
authority for '.'. And some of them may refuse to believe your TTL of
zero- ISTR some versions of BIND itself doing this. The bottom line is
that claiming authority over '.', though not expressly forbidden, is a
dodgy proposition that simply saves you a (very) little work at the
expense of breaking other people's servers. Syncing your servers' conf
files isn't terribly hard; the perl to convert a master file into a
slave file is dead easy, as is the perl to generate both from one
source. You can even do what some of us here do- create a special zone
containing only TXT records on a hidden master, and have scripts on your
public facing servers parse that zone and create their conf files based
on it.

As for your comment about M$DNS: Microsoft machines do a lot of things
wrong by default, and Microsoft have yet to demonstrate that they
understand and care about the correct and efficient operation of the
DNS. I certainly hope that you're not arguing that the way M$ do things
is to be used as an example or blueprint for operating hosts on the
internet.

-Pete




More information about the bind-users mailing list