SRV records and cache poisoning (full)

Barry Margolin barmar at
Tue Jun 7 07:29:07 UTC 2005

In article <d83fhj$dfj$1 at>,
 Mark Andrews <Mark_Andrews at> wrote:

> > Hello,
> > 
> > (sorry, I seem to have pressed the "Send" button earlier by mistake,
> > so an incomplete version of this email will have ended up on
> > bind-users)
> > 
> > This is more of a resolver/DNS question than a BIND one, but I thought
> > I'd ask it here since there are people on this list that also worked
> > on the libbind resolver library.
> > 
> > I'm writing this C++ module that does some DNS queries, SRV being one
> > of them; it functions as a stub resolver, querying recursive
> > nameservers that do the full resolution. Now, say that the following
> > scenario happens:
> 	Stub resolvers need to trust their caching servers to have
> 	anti-poisioning support.  Stub resolvers don't have enough
> 	information to detect poisioning.  This assumes DNSSEC is
> 	not available for the zone that is the target of the
> 	poisoning.  If DNSSEC is available them the stub resolver
> 	can verify the answer.

Also, since some caching servers will pass the initial response from the 
authoritative server straight through, stub resolvers should *not* cache 
anything other than the answer to the query they originally sent.

If the records in the authority or additional section are cacheable, the 
stub resolver should rely on the caching server to cache them.  So when 
the stub goes on to look these up, they'll already be in the server's 
cache and the resolution should be quick.

Barry Margolin, barmar at
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

More information about the bind-users mailing list