On Fri, Nov 07, 2003 at 02:23:37PM +0900, Masataka Ohta wrote: > It is a just enough protection against well known attack to > contaminate cache by glue A, which I confirmed to work about > 10 years ago.
pdns_recursor simply rejects answers that are not in the zone of the NS that caused it to recurse to that nameserver. So: > That is, with > > hpcl.titech.ac.jp. NS foo.bar > foo.bar. A 131.112.32.132 Say a question originally arrived for www.hpcl.titech.ac.jp, and pdns_recursor already had "titech.ac.jp NS your-nameserver", pdns_recursor only accepts answers within or above titech.ac.jp. Foo.bar is immediately rejected, as it does not end on titech.ac.jp. Every once in a while this causes pdns to ask more questions than strictly necessary but it's still faster than most recursing nameservers. Run pdns_recursor in --trace mode to see it explain all its decisions. In this case, the glue is not necessary and hence not accepted. I think DJB does something smarter and accepts the glue *only* for this question. > I'm saying answer should be stored in cache for latter use, only > if the same answer is obtained multiple times with independent > IDs. Ah - so you just ask a question multiple times with different id and source port, making it exponentially harder to spoof an answer. Sure, that would work but it doubles the load on authoritative nameservers. Bert. -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO #---------------------------------------------------------------------- # To unsubscribe, send a message to <[EMAIL PROTECTED]>.
