[Pdns-users] pdns_recursors trusts addtional section where it better shouldn't

Thomas Mieslinger miesi at india.com
Fri Feb 17 12:53:45 UTC 2017

Hi Pieter,

On 17.02.17 12:34, Pieter Lexis wrote:
> On Fri, 17 Feb 2017 11:39:51 +0100
> Thomas Mieslinger <miesi at india.com> wrote:
>> Why trusts pdns_recursor records from answers without aa bit set?
> While resolving, this is the only thing we can trust. And this answer is cached as well. This speeds things up tremendously.
> We could try to be more resilient against this when retrieving this information from the cache, but we do not blindly trust additional information.

I was unable to reproduce this with 4.0.4 so I don't see the need to try 
to get a CVE on this.


With crafted glue in the tld zone and mailrelays using pdns_recursor you 
could redirect mail traffic.

Maybe you could reevaluate your opinion on caching non aa bit set records.

Of course dnssec solves this, but it is still a long way until all zones 
are signed.


More information about the Pdns-users mailing list