To:
bert hubert <ahu@ds9a.nl>
CC:
dnsop@cafax.se
From:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date:
Fri, 07 Nov 2003 17:23:14 +0900
In-Reply-To:
<20031107080338.GA21549@outpost.ds9a.nl>
Sender:
owner-dnsop@cafax.se
User-Agent:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
Subject:
Re: preventing cache contamination
bert hubert; >>>Ah - so you just ask a question multiple times with different id and source >>>port, making it exponentially harder to spoof an answer. >> >>No, though it is a protection on end systems. To prevent cache >>contamination, it is enough that caching server caches information >>only if there are more than one query. > Ah - that would still allow the first answer to be spoofed. I know and it is easy to stop it. But see the subject. > How do you deal > with bonafide changes within the TTL? These also generate different answers > than before. That's why I wrote "compatible answer" in the first mail of the thread. >>>Say a question originally arrived for www.hpcl.titech.ac.jp, and >>>pdns_recursor already had "titech.ac.jp NS your-nameserver", pdns_recursor >>>only accepts answers within or above titech.ac.jp. Foo.bar is immediately >>>rejected, as it does not end on titech.ac.jp. >> >>Are you saying nameservers "[a-m].gtld-servers.net." for "com." are >>rejected? > > > No, I look at the left hand side, [a-m].gtld-servers.net are accepted from > the "." nameserver because they are records for "COM." which is above ".". "COM." is above "."? I'm totally confused. Are there any document on the net? Masataka Ohta #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.