From owner-freebsd-security Wed Jun 26 20:44:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id 67CFE37B409; Wed, 26 Jun 2002 20:36:08 -0700 (PDT) Received: from drugs.dv.isc.org (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.12.3/8.12.3) with ESMTP id g5R3Zlm0040680; Thu, 27 Jun 2002 13:35:47 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200206270335.g5R3Zlm0040680@drugs.dv.isc.org> To: "Jacques A. Vidrine" Cc: security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: BIND and reconstruction of DNS messages (was Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv) In-reply-to: Your message of "Wed, 26 Jun 2002 22:16:14 EST." <20020627031614.GE46205@madman.nectar.cc> Date: Thu, 27 Jun 2002 13:35:47 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Thu, Jun 27, 2002 at 10:12:08AM +1000, Mark.Andrews@isc.org wrote: > > Provided you are behind a nameserver you trust that reconstructs > > the answer you should be fine. > > Thanks for this info, Mark. > > I guess that name server better be running on localhost, or else an > agent may be able to spoof DNS messages. > > > BIND 9 reconstucts all answers (excluding forwarded UPDATES). > > cool > > > BIND 8 forwards some and reconstructs others. > > at random? :-) No. See ns_resp.c for details. > Cheers, > -- > Jacques A. Vidrine http://www.nectar.cc/ > NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos > jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message