odd behavior in bind-8.2.2_P3 (fwd) - "illegitimate COM server" - more
LaMont Jones
lamont at security.hp.com
Fri Sep 8 03:30:16 UTC 2000
> > Mark Andrews posted a patch that should make everything go through the
> > cache, (although I must admit that I'm not entirely sure that's what we
> > want, or that I understand it...). That would still need to go on the
> > forwarder, not the forwardee, if I understand it as well as I think I
> > do...)
> Correct.
In which case, the only concern would be that things with a TTL of 0
would not make it through such a forwarder. (Nor would you ever get
an auth answer, right?)
Pardon me while I think out loud...
If my thinking is correct, the challenge here is that the NS using
forwarders has no way of telling whether or not the authority section
coming back from the forwarder is good or not (how does he know where
the forwarder got its answer - maybe it was from the .com nameservers).
Could it not simply refuse to cache the authority and additional sections
of an AA reply from the forwarder? non-AA answers would (I think)
perforce have come from the cache of the forwarder, and hence have been
sanitized by him (if you don't trust the forwarder, then you need to find
a new one). AA answers would either be initial answers from another zone,
or zones that the forwarder is authoritative for. Hmm. That could be a
bit sticky, since we wouldn't cache NS RR's for that zone, unless that were
the question. So maybe it's OK after all.
thoughts?
lamont
More information about the bind-workers
mailing list