Advisory Notice for Bind Default Configuration and Reflector Attacks
Paul Vixie
paul at vix.com
Fri Mar 24 06:47:54 UTC 2006
# True, I can do it for the CNAMES I know about in my own master zones but
# I'd hate to have to start regularly reading the many zones I secondary
# for new CNAME's added on the primary and add stub zones on my servers to
# keep them functioning. That won't scale very well. I also have to
# worry what happens on the people who secondary for me.
those are reasonable concerns, which is why i called it a workaround. my
hope is that others at isc will agree that either a nonterminal cname chain
or a terminal cname chain, but not REFUSED, is appropriate in your situation,
and that some kind of code change will be forthcoming.
out-of-zone cnames are brainbending in their implications.
More information about the bind-workers
mailing list