Switching to TCP in BIND.
Sam Wilson
Sam.Wilson at ed.ac.uk
Wed May 5 08:35:38 UTC 2010
In article <mailman.1323.1272653060.21153.bind-users at lists.isc.org>,
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Wed, Apr 28, 2010 at 11:59:11AM -0400,
> Kevin Darcy <kcd at chrysler.com> wrote
> a message of 21 lines which said:
>
> > I know of no such feature. What do you mean by "spoofed" anyway? How
> > would you expect named to detect "spoofing", and is that its job?
>
> It seems (not tested by me) that Nominum CNS does that: when many
> responses arrive which do not match (src IP address, query ID, etc)
> any pending answer, it switches to TCP, assuming someone tries to
> poison it.
>
> This is supposed to be a protection against the Kaminsky attack.
Interesting. "Switches" by what means? Returns TC responses to all UDP
queries? Just for particular clients or particular domains? Is this
documented at all (yes, I'm too lazy to Google :-) ).
Sam
More information about the bind-users
mailing list