nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - RELEASED

From: Gadi Evron <ge () linuxbox org>
Date: Thu, 24 Jul 2008 10:23:41 -0500 (CDT)
On Thu, 24 Jul 2008, John Kristoff wrote:

On Thu, 24 Jul 2008 10:06:25 +0100
Simon Waters <simonw () zynet net> wrote:


I checked last night, and noticed TLD servers for .VA and .MUSEUM are
still offering recursion amongst a load of less popular top level
domains.

Indeed just under 10% of the authoritative name servers mentioned in
the root zone file still offer recursion.


While not ideal, at least most resolvers will not go asking those
servers for anything other than what they are authoritative for unless
an attacker for some reason wanted to setup a long chain of poisons. The
large, shared caching servers and all those open CPE devices are a
much larger concern I think.
Indeed--you won't hear arguments from me on other threats, especially not CPE devices which I fought to bring recognition to.
But sticking to the point, TLD servers should (under most circumstances) be recursive. Thing is, those that are, are likely to stay that way.
I personally know several folks from within and wayyy from outside the DNS world who discovered this very out there and obvious issue and worked hard to try and contact the operators. Those that haven't fixed it yet, likely won't if all thing remain even.
Others I am not aware of likely did the same, withs imilar results. I guess we could try again. 

        Gadi.
Previous By Date Next
Previous By Thread Next

Current thread: