SRV records and cache poisoning (full)

Stefan Puiu stefan.puiu at gmail.com
Tue Jun 7 07:16:54 UTC 2005


>=20
>         Stub resolvers need to trust their caching servers to have
>         anti-poisioning support.  Stub resolvers don't have enough
>         information to detect poisioning.  This assumes DNSSEC is
>         not available for the zone that is the target of the
>         poisoning.  If DNSSEC is available them the stub resolver
>         can verify the answer.
>=20

So am I to understand that a sane caching nameserver will remove that
www.microsoft.com record from the additional section of the reply? And
that it will do some sort of filtering on the additional section in
responses?

Thanks for the reply,
Stefan.



More information about the bind-users mailing list