> > 2. who does recursive queries on external interfaces? > > i would have considerd this a configuration error and > > security problem ten years ago. > > > > Tell that to the rest of the internet.
without reasonable configuration, most any machine can be made trivially vulnerable. > vectors that are just as predictable because of the > luxury of web2.0. Recursive queries obviously just > make this simpler for the attacker. what is this "web 2.0" of which you speak? i use plan 9 and unfamilar with such as i presume to be jargon. ☺ to do it from the inside, one requires out-of-balliwick hints to be cached, right? this should be a big hurdle. it's dissapointing to note that plan 9 dns does no hint validation. that is perhaps a larger long-known, and still-exploitable hole than the one that gets so much press. i think it would be best if ndb/dns simply did not reply with answers obtained from glue but rather re-queried the authorative ns *and* rejected out-of-balliwick hints. - erik
