Switching to TCP in BIND.

Sam Wilson Sam.Wilson at ed.ac.uk
Wed May 5 08:35:38 UTC 2010

In article <mailman.1323.1272653060.21153.bind-users at lists.isc.org>,
 Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

> On Wed, Apr 28, 2010 at 11:59:11AM -0400,
>  Kevin Darcy <kcd at chrysler.com> wrote 
>  a message of 21 lines which said:
> > I know of no such feature. What do you mean by "spoofed" anyway? How
> > would you expect named to detect "spoofing", and is that its job?
> It seems (not tested by me) that Nominum CNS does that: when many
> responses arrive which do not match (src IP address, query ID, etc)
> any pending answer, it switches to TCP, assuming someone tries to
> poison it.
> This is supposed to be a protection against the Kaminsky attack.

Interesting.  "Switches" by what means?  Returns TC responses to all UDP 
queries?  Just for particular clients or particular domains?  Is this 
documented at all (yes, I'm too lazy to Google :-) ).


More information about the bind-users mailing list