[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Interresting report by logcheck....

On Fri, Feb 01, 2002 at 03:47:21PM -0600, Brian McGroarty wrote:
> I'd appreciate it if you'd direct me to the newer material that
> supersedes the information in RFC 1033, Noah. I'll be searching myself
> as well. I don't wish to remain ignorant, of course.

From RFC 1912 (Common DNS Operational and Configuration Errors) section

   Having NS records pointing to a CNAME is bad and may conflict badly
   with current BIND servers.  In fact, current BIND implementations
   will ignore such records, possibly leading to a lame delegation.
   There is a certain amount of security checking done in BIND to
   prevent spoofing DNS NS records.  Also, older BIND servers reportedly
   will get caught in an infinite query loop trying to figure out the
   address for the aliased nameserver, causing a continuous stream of
   DNS requests to be sent.

Now of course, this doesn't give any hint at all as to *why* this may be
bad, except that BIND doesn't like it.  If that's not a bad reason then
I don't know what is.  This may not be the best source for this info,
however.  There may very well be another RFC that gives more details.
This was the first one that came to mind, though.


| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpma46r8Idw7.pgp
Description: PGP signature

Reply to: