To:
Robert Elz <kre@munnari.OZ.AU>
Cc:
"D. J. Bernstein" <djb@cr.yp.to>, ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
From:
gson@nominum.com (Andreas Gustafsson)
Date:
Wed, 1 Aug 2001 13:55:58 -0700 (PDT)
In-Reply-To:
<E15RwuY-000E29-00@psg.com>
Subject:
Re: Joint DNSEXT & NGTRANS agenda
Robert Elz writes: > From: "D. J. Bernstein" <djb@cr.yp.to> > | This ``perverse method'' has been used by all versions of BIND since > | 1997, and of course by every version of my cache. The need for it is > | explained in detail in http://cr.yp.to/djbdns/notes.html. > > I haven't looked to see whether BIND really does that or not, but there > is certainly no need for it (and I actually doubt it a bit). This time, DJB is correct. When resolving, BIND 8 and 9 do reject all records that are not within the domain whose authoritative qservers are being queried. If they did not, we would be seeing much more cases of cache poisoning that we do now. -- Andreas Gustafsson, gson@nominum.com