On Mon, 16 Jul 2001, Matt Dillon wrote:
> I don't think that's it... if you look at the dumps, there were no timeouts
> in the 2-day range. The original glue NS records (from exodus) had already
> been completely replaced by the NS record from their zone. Everything in
> their zones is already synchronized.
>
> -Matt
If I recall correctly, what you're describing above *causes* the problem.
Their NSes have to be synced with the roots.
I tried searching the archives, and I can't find the messages talking
about the topic. I did find djb's page with his rants about dns
breakages, and at the end of one he mentions:
"Beware that, because of the ``credibility'' rules described above, the NS
records from the child servers must include the NS records from the
parent. Otherwise an attacker can break BIND's access to the child
servers."
This is from: http://cr.yp.to/djbdns/notes.html
So, there's something to it, though I no longer remember exactly why.
Read through that page, he seems to be trying to explain the problem.
Mike "Silby" Silbersack
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
