On Tue, Aug 05, 2008 at 06:00:58AM +0900, Masataka Ohta wrote:

> The fix is, again, that, if you are told that NS for www.example1.com
> is ns.example2.com with glue-A of ns.example2.com is, the
> glue-A must be cached with a tag that the information is valid only
> as NS of www.example1.com.

How about just not caching the glue-A? Seems to work just fine. It is out of

In general, the larger problem is that it is very hard to refuse this
(spoofed) answer when it comes in:

;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 10
;random-21312313123.nl. IN A

nl. 172800 IN NS NS2.NOT-THE-REAL-NIC.nl.
nl. 172800 IN NS NS3.NOT-THE-REAL-NIC.nl.

I may be mistaken, but do you have a solution for this problem? Fiddling
with tagged cache entries etc doesn't seem to cut it.


http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.