Mark Andrews wrote:

> I can create delegations that REQUIRE glue from "DE" for
> zones under "COM" and glue in "COM" for zones under "DE"
> for the delegations to work.
>
> e.g.
> example.de NS ns1.example.com
> example.com NS ns1.example.de
>
> Back about BIND 4.9.[23] I configured named to stop accepting
> glue that wasn't under the parent zone. I did this so I
> could chase down bad glue. If there was bad glue I knew
> it had to come for a parent, grandparent etc. I also knew
> that it would break delegations like the one I'm describing
> above but I also knew they were rare.


And your false assertions have resulted in BIND vulnerabilities
against Kaminsky's variation of ID guessing attacks.

Isn't it enough that both "bailiwick" and "PKI" are not secure,
not even theoretically.

Masataka Ohta


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: