"Robert Purdy (DSL AK)"
Quick question - If you don't implement a patch are you leaving yourself exposed to a DOS attack?
A simple perl script enumerating random domains and digging at an ISP server could probably fill a DNS cache over a period of time. (It would eventually fall over I guess...)
With NXDOMAIN caching, that would happen anyway -- the "no such domain" answer is itself cached, so a subsequent query for the same domain can be given a cached answer. Note that you'd have to fill the cache inside the TTL of the cached records -- Verisign's wildcard A records have a TTL of 15 minutes; a cached NXDOMAIN entry gets its TTL from the negative TTL field of the SOA (formerly known as the default TTL). With current versions of BIND 9, you can use the "max-cache-size <bytes>" directive to set the maximum size of the cache, so it starts throwing away un-expired records when the max cache size is approached, thereby avoiding any such DoS. -- don