On Thu, Nov 14, 2002 at 05:13:40PM -0500, Joseph S D Yao wrote:

> On Thu, Nov 14, 2002 at 03:23:23PM -0500, Ragnar Paulson wrote:
> ...
> > Put another way,  if I have named/bind configure to only allow recursion =
> > to local users ... is this still remotely exploitable? =20
> ...

> My understanding is that it is exploitable if the client can do
> recursion ... so, in the case you posit, local users could exploit it
> but remote users could not.

	Here there be dragons...

	What if someone sends you and E-Mail message that prompts a
DNS lookup to the hostile nameserver.  How about a URL?  You have to
trust ALL of your local clients to NEVER (not even in one of those
transparent, under-the-hood type, checks that you don't even know about)
be tricked into requesting a bad RR record.

	This is not a road to be walked down.  It's quibiling on when
and how you will get screwed when, in fact, you are going to get screwed.
Fact is that, even if you control all the requesting clients, you don't
control all the paths which may trigger a request from all the clients.
There are just too many variables and paths.

> -- 
> Joe Yao				jsdy@center.osis.gov - Joseph S. D. Yao
> OSIS Center Systems Support					EMT-B
> -----------------------------------------------------------------------
>    This message is not an official statement of OSIS Center policies.

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

-- Attached file included as plaintext by Ecartis --

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQCUAwUBPdbF1eHJS0bfHdRxAQG0OQP3Vn1SXDw1A2ECFM+6tDLnOY+a9hmhzSVO
MzAheJyoite46Hu+fcwKgxI65ZrwFLSDvfZW7aZvlFuAnq6g/4gswa7IRvJKGoMW
COOrULqskzgCCmMmUczKCaAVv6tHnJtA/Z5vHKOTB8HbJlFGnV1zv14SJBXorW72
agP+f73MuA==
=LncA
-----END PGP SIGNATURE-----