Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Jul 2001 19:21:38 -0700 (PDT)
From:      Matt Dillon <dillon@earth.backplane.com>
To:        Mike Silbersack <silby@silby.com>
Cc:        Len Conrad <LConrad@Go2France.com>, <freebsd-hackers@FreeBSD.ORG>
Subject:   Re: Weird named problem - IN A for nameservers being lost!
Message-ID:  <200107170221.f6H2Lcj36277@earth.backplane.com>
References:   <20010716201723.P74787-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

:
:
:On Mon, 16 Jul 2001, Matt Dillon wrote:
:
:>     I don't think that's it... if you look at the dumps, there were no timeouts
:>     in the 2-day range.  The original glue NS records (from exodus) had already
:>     been completely replaced by the NS record from their zone.  Everything in
:>     their zones is already synchronized.
:>
:> 						-Matt
:
:If I recall correctly, what you're describing above *causes* the problem.
:Their NSes have to be synced with the roots.
:
:I tried searching the archives, and I can't find the messages talking
:about the topic.  I did find djb's page with his rants about dns
:breakages, and at the end of one he mentions:
:
:"Beware that, because of the ``credibility'' rules described above, the NS
:records from the child servers must include the NS records from the
:parent. Otherwise an attacker can break BIND's access to the child
:servers."
:
:This is from: http://cr.yp.to/djbdns/notes.html
:
:So, there's something to it, though I no longer remember exactly why.
:Read through that page, he seems to be trying to explain the problem.
:
:Mike "Silby" Silbersack

    Interesting.  He describes in the section about 'expiring glue'
    creating loops in the DNS server, but doesn't mention a particular
    bug.  

    However, there's another section where he mentions something about
    bind reducing the TTL by 5% for certain credibility cases.

    Going back to my original posting... the NS is 2016 and fuji
    is 1846 = 170 = 5%.

    I think This credibility stuff reducing the TTL in named is 
    responsible for these blowups.  I am going to email the bind group
    with this whole mess to see what they have to say.

					    -Matt


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107170221.f6H2Lcj36277>