Ah - so you just ask a question multiple times with different id and source port, making it exponentially harder to spoof an answer.
No, though it is a protection on end systems. To prevent cache contamination, it is enough that caching server caches information only if there are more than one query.
Ah - that would still allow the first answer to be spoofed.
I know and it is easy to stop it. But see the subject.
How do you deal with bonafide changes within the TTL? These also generate different answers than before.
That's why I wrote "compatible answer" in the first mail of the thread.
Say a question originally arrived for www.hpcl.titech.ac.jp, and pdns_recursor already had "titech.ac.jp NS your-nameserver", pdns_recursor only accepts answers within or above titech.ac.jp. Foo.bar is immediately rejected, as it does not end on titech.ac.jp.
Are you saying nameservers "[a-m].gtld-servers.net." for "com." are rejected?
No, I look at the left hand side, [a-m].gtld-servers.net are accepted from the "." nameserver because they are records for "COM." which is above ".".
"COM." is above "."? I'm totally confused. Are there any document on the net?
Masataka Ohta
#---------------------------------------------------------------------- # To unsubscribe, send a message to <[EMAIL PROTECTED]>.
