PLEASE READ: An Important Security Announcement from ISC

Chris Thompson cet1 at
Wed Feb 8 16:25:25 UTC 2012

On Feb 8 2012, Kazunori Fujiwara wrote:

>Searching the title of the vulnerability with google results one PDF document.
>It shows details.

More directly,

This is definitely worth reading, being an interesting new twist on a
fairly old theme.

I have some concerns about what the authors seem to favour as a defense
(section 5.1, page 9):

  "1. Strengthening the bailiwick rule - DNS resolver implementations
      should tighten the bailiwick rule so that a recursive resolver
      only accepts a zone's delegation data from [an] authoritative
      server of a its parent zone."

They admit this would create a problem with "authority mismatches", i.e.
differences between the delegation NS RRset and the in-zone one, and that
these are "common in practice". Well yes, in spades! It would also be
quite inconsistent with the existing credibility rules, and with the
fact that in signed zones the delegation NS RRset is unsigned, on the
basis that it is a hint, not authoritative.

Chris Thompson
Email: cet1 at

More information about the bind-users mailing list