about the additional section

Florian Weimer fweimer at bfk.de
Fri Sep 2 07:43:56 UTC 2011


* 风河:

> i just want to make sure about it, and will the client resolver use the
> additional records directly?

It is somewhat difficult to make correct use of the additional section.
For example, Exim tried to do it, but they had to remove the code
because it caused spurious mail delivery failures.  Nowadays, Exim just
sends explicit DNS queries for everything it needs, and no one has
complained about that.

Even if you manage that, there are other resolvers out there which do
not scrub the additional section (unlike BIND 9), so if you use that
data, you end up with a DNS poisoning vulnerability.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99



More information about the bind-users mailing list