SRV records and cache poisoning (full)

Stefan Puiu stefan.puiu at
Tue Jun 7 06:16:23 UTC 2005


(sorry, I seem to have pressed the "Send" button earlier by mistake,
so an incomplete version of this email will have ended up on

This is more of a resolver/DNS question than a BIND one, but I thought
I'd ask it here since there are people on this list that also worked
on the libbind resolver library.

I'm writing this C++ module that does some DNS queries, SRV being one
of them; it functions as a stub resolver, querying recursive
nameservers that do the full resolution. Now, say that the following
scenario happens:

Some malicious user makes me do an SRV query for, say,; as far as my understanding of the whole product
works, this could be possible. That user owns and on those
domain's nameservers he has something like:

;; in the '' zone
_ldap._tcp  3600 IN SRV  10 1  389

and a zone with a bogus IP address:
;; bogus zone
@ 3600 IN A

So, when I'd query for that SRV record, my local caching nameserver
would forward that to's nameserver and would pass me back a
reply which, if I understand RFC2782 and BIND's handling of SRV
records (I'm simplifying by assuming both servers are running BIND)
would also include an A record for in the
additional section. Since I'm planning to implement some primitive
caching in this module, my question is: how can I decide if the
records in the additional section can be cached or not? It seems that
I can't trust them, so I could generate lookups for each of the
targets of the SRV records from the reply, but that would be costly,
is there some middle ground?

Thanks in advance,

More information about the bind-users mailing list