Hi John.
Let me add that NOT restricting what the resolver accepts from the
forwarder would be a security hole. In fact is _was_ a security hole in
BIND, see
[CVE-2021-25220] DNS Cache Poisoning Vulnerability
https://gitlab.isc.org/isc-projects/bind9/-/issues/2950
In your example 'baz.local'
Hi John.
The reason is step 4c here:
https://datatracker.ietf.org/doc/html/rfc1034#section-5.3.3
The A record in the response is for a name that BIND wasn't asked for
(otherwise why a CNAME at all?), so in the interests of not just believing
random answers that might potentially poison the cache,
2 matches
Mail list logo
