:
:
:On Mon, 16 Jul 2001, Matt Dillon wrote:
:
:> I don't think that's it... if you look at the dumps, there were no timeouts
:> in the 2-day range. The original glue NS records (from exodus) had already
:> been completely replaced by the NS record from their zone. Everything in
:> their zones is already synchronized.
:>
:> -Matt
:
:If I recall correctly, what you're describing above *causes* the problem.
:Their NSes have to be synced with the roots.
:
:I tried searching the archives, and I can't find the messages talking
:about the topic. I did find djb's page with his rants about dns
:breakages, and at the end of one he mentions:
:
:"Beware that, because of the ``credibility'' rules described above, the NS
:records from the child servers must include the NS records from the
:parent. Otherwise an attacker can break BIND's access to the child
:servers."
:
:This is from: http://cr.yp.to/djbdns/notes.html
:
:So, there's something to it, though I no longer remember exactly why.
:Read through that page, he seems to be trying to explain the problem.
:
:Mike "Silby" Silbersack
Interesting. He describes in the section about 'expiring glue'
creating loops in the DNS server, but doesn't mention a particular
bug.
However, there's another section where he mentions something about
bind reducing the TTL by 5% for certain credibility cases.
Going back to my original posting... the NS is 2016 and fuji
is 1846 = 170 = 5%.
I think This credibility stuff reducing the TTL in named is
responsible for these blowups. I am going to email the bind group
with this whole mess to see what they have to say.
-Matt
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
