In article <mailman.1394.1273050634.21153.bind-us...@lists.isc.org>, sth...@nethelp.no wrote:
> > > > I know of no such feature. What do you mean by "spoofed" anyway? How > > > > would you expect named to detect "spoofing", and is that its job? > > > > > > It seems (not tested by me) that Nominum CNS does that: when many > > > responses arrive which do not match (src IP address, query ID, etc) > > > any pending answer, it switches to TCP, assuming someone tries to > > > poison it. > > > > > > This is supposed to be a protection against the Kaminsky attack. > > > > Interesting. "Switches" by what means? Returns TC responses to all UDP > > queries? Just for particular clients or particular domains? Is this > > documented at all (yes, I'm too lazy to Google :-) ). > > According to the Nominum CNS manual, > > "When a single query ID mismatch is detected in the expected DNS > response, CNS switches the recursive query to the more reliable TCP > protocol ..." > > So it is definitely documented - though I'm sure there are details of > the implementation which are *not* documented in the regular user > manual. Oh, I see. It's the other way round from what I had (wrongly) assumed - if the response to a query looks suspect then CNS will retry the query using TCP to try to protect against spoofed answers coming back. Seems sensible. Sam _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users