[Pdns-users] pdns_recursors trusts addtional section where it better shouldn't
Thomas Mieslinger
miesi at india.com
Fri Feb 17 12:53:45 UTC 2017
Hi Pieter,
On 17.02.17 12:34, Pieter Lexis wrote:
> On Fri, 17 Feb 2017 11:39:51 +0100
> Thomas Mieslinger <miesi at india.com> wrote:
>
>> Why trusts pdns_recursor records from answers without aa bit set?
>
> While resolving, this is the only thing we can trust. And this answer is cached as well. This speeds things up tremendously.
> We could try to be more resilient against this when retrieving this information from the cache, but we do not blindly trust additional information.
I was unable to reproduce this with 4.0.4 so I don't see the need to try
to get a CVE on this.
Why?
With crafted glue in the tld zone and mailrelays using pdns_recursor you
could redirect mail traffic.
Maybe you could reevaluate your opinion on caching non aa bit set records.
Of course dnssec solves this, but it is still a long way until all zones
are signed.
Thomas
More information about the Pdns-users
mailing list