On Thu, 11 Nov 1999, Anonymous wrote:
> Ooh, those pesky NXT records. Like I process those every day.
> Fascinating read in RFC 2535, but suppose I don't have any NXT
> records in my own zones, under what circumstances will my DNS server
> commit the sin of "the processing of NXT records"? In other words,
> are all of us vulnerable (even caching-only name servers if so, I
> imagine!), or only people with NXT records? This makes a big difference!
Caching-only servers are also vulnerable. The NXT record is no different
that any other DNS record in this case. If someone is able to make your
server fetch a maliciously-constructed NXT record, it will cause problems.
A query to a caching server will force the server to send a recursive
query, which makes the caching server vulnerable.
Brian
