Quick question - If you don't implement a patch are you leaving yourself exposed to a DOS attack? A simple perl script enumerating random domains and digging at an ISP server could probably fill a DNS cache over a period of time. (It would eventually fall over I guess...) Rob -----Original Message----- From: Nic Bellamy [mailto:nic(a)bellamy.co.nz] Sent: Wednesday, 17 September 2003 10:25 a.m. To: nznog(a)list.waikato.ac.nz On Wed, 2003-09-17 at 09:29, Joe Abley wrote:

On Monday, Sep 15, 2003, at 23:58 Canada/Eastern, Juha Saarinen wrote:

...

Brent McDowell wrote:

...

For those of you who use djbdns, a patch has been released that rejects A records that resolve to 64.94.110.11. It'll return NXDOMAIN. http://tinydns.org/djbdns-1.05-ignoreip.patch

Anything for BIND 9?

I am told an official patch is being tested right now.

In the interim, there's a patch floating around for bind9 - haven't found an official site for it, so I've chucked it up at: http://www.bellamy.co.nz/stuff/bind9-antiverisign.patch I can confirm it Works For Me(tm) (even if it's done in a rather ugly manner). Cheers, Nic. -- Nic Bellamy Bellamy Consulting (NZ) Limited. +64-6-377-4957 Mobile: +64-21-251-8954 Internet Software & Security Consulting -- http://www.bellamy.co.nz/ -- _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog