On Tue Aug 28 23:33:20 EDT 2012, cinap_len...@gmx.de wrote:
> aback.com has ns.buydomains.com as nameserver, which seem to
> announce itself to be responsible for the whole .com tld and
> answers positively to everything with bullshit spam ip addresses
> causing all further .com domain queries to get resolved by that
> spam ns.buydomains.com dns. :(
>
> is this allowed by the standard? is there anything we can do
> to prevent it from poisoning our cache?
no it's not*. there's a dns concept that is generally referred to as
"baliwick" which means crudly the stuff you're responsible for.
answers are only acceptable if they are in balliwick. so that
the . servers may serve up any answer, but buydomains.com
may only serve up answers for buydomains.com. ("." is actually
irrelevant, unless it is delegated.)
(* unless it's a cname. fu.bar.com cname blotz.frobnitz.org is cool.)
dnresolve.c:/^procansw should protect against it in the
section commented /* ignore any bad delegations */. it should
not log on cname delegations that are are out-of-balliwick.
that's something i've added to my copy.
it's not hard to imagine that this code is not perfect. :-)
- erik
