On 2015-11-17 04:21, Ray Bellis wrote:
On 17/11/2015 02:09, Grant Taylor wrote:
On 11/16/2015 06:56 PM, /dev/rob0 wrote:
You either specify a hints file to use, or use the compiled-in root
hints.
Interesting. I was not aware that it was an exclusive or type
situation.
It's important that
No default route to Internet, internal-root architecture; when you think this
through, it's pretty obvious that the ability to explicitly specify "hints" is
a mandatory feature of any enterprise-strength DNS product.
- Kevin
-Original Message-
On 11/17/2015 03:02 PM, Dave Warren wrote:
Or, the IP formerly used as a root server could turn malicious and start
offering an alternate response. This would only impact resolvers that
had outdated root hints, and also happened to try that particular IP
first, but it's at least a theoretical
On 11/17/2015 03:22 PM, Mark Andrews wrote:
Given the root zone is signed and most of the TLD's are also signed
there is little a rogue operator can do besides causing a DoS if
you validate the returned answers.
This quite from Twitter seems appropriate: DNSSEC only protects you
from getting
On 11/17/2015 02:15 AM, Cathy Almond wrote:
If someone *could* maliciously replace a file on your DNS server with a
blank one, you have more problems than just a blank root hints file
don't you?
Very likely. But not guaranteed. }:->
--
Grant. . . .
unix || die
On 11/17/2015 02:21 AM, Ray Bellis wrote:
It's important that they're exclusive - it would be very much harder to
build an isolated test bed (with "fake" root hints) if BIND insisted on
always trying to reach all of the compiled-in root hints.
Valid point. Thanks Ray.
Otherwise, I might be
On 11/17/2015 04:10 PM, Darcy Kevin (FCA) wrote:
No default route to Internet, internal-root architecture; when you think this through,
it's pretty obvious that the ability to explicitly specify "hints" is a
mandatory feature of any enterprise-strength DNS product.
There is noting that
-Original Message-
> From: bind-users-boun...@lists.isc.org
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Dil Lee
> Sent: Wednesday, 18 November 2015 3:42 PM
> To: bind-users@lists.isc.org
> Subject: does bind depends on system DNS settings for lookup?
> Hi,
> This is probably
In message <564be747.40...@tnetconsulting.net>, Grant Taylor writes:
> On 11/17/2015 03:22 PM, Mark Andrews wrote:
> > Given the root zone is signed and most of the TLD's are also signed
> > there is little a rogue operator can do besides causing a DoS if
> > you validate the returned answers.
>
Hi,
This is probably a dummy question.
My understand of bind in handling non-authoritative queries is:
1) forward mode. It just forward the client queries to an upstream DNS
server, which is defined in "forwarders" directive.
2) recursive mode. It actually start asking from root DNS server, then
On 17/11/2015 02:31, Grant Taylor wrote:
...
> The idea that a (maliciously) blank root.hints file would prevent BIND
> from using the compiled in version is new to me.
If someone *could* maliciously replace a file on your DNS server with a
blank one, you have more problems than just a blank root
On 17/11/2015 02:09, Grant Taylor wrote:
> On 11/16/2015 06:56 PM, /dev/rob0 wrote:
>> You either specify a hints file to use, or use the compiled-in root
>> hints.
>
> Interesting. I was not aware that it was an exclusive or type situation.
It's important that they're exclusive - it would be
On 2015-11-17 14:13, Mark Andrews wrote:
In message <564ba3e3.9060...@hireahit.com>, Dave Warren writes:
On 2015-11-16 18:09, Grant Taylor wrote:
It's my understanding that ALL of the root servers would have to
change all of their addresses at the same time for DNS to be impacted.
Or, the IP
In message <564ba3e3.9060...@hireahit.com>, Dave Warren writes:
> On 2015-11-16 18:09, Grant Taylor wrote:
> > It's my understanding that ALL of the root servers would have to
> > change all of their addresses at the same time for DNS to be impacted.
>
> Or, the IP formerly used as a root
In message <564ba6e9.2050...@hireahit.com>, Dave Warren writes:
> On 2015-11-17 14:13, Mark Andrews wrote:
> > In message <564ba3e3.9060...@hireahit.com>, Dave Warren writes:
> >> On 2015-11-16 18:09, Grant Taylor wrote:
> >>> It's my understanding that ALL of the root servers would have to
> >>>
15 matches
Mail list logo
