Subject: Re: NetBSD Security Advisory 2003-018: DNS negative cache poisoning
To: David Maxwell <email@example.com>
From: Andreas Gustafsson <firstname.lastname@example.org>
Date: 12/18/2003 10:33:04
David Maxwell <email@example.com> said:
> Bind 9 has limitations for IPv6 users, that makes it a poor candidate
> for inclusion in the base OS until they are resolved.
> For individuals with no IPv6 requirements, it is certainly an
> appropriate way to go.
I think you have misunderstood the note in src/doc/3RDPARTY saying
"9.2.x has some issues (A6 queries for glue, for instance)".
I believe the note is referring to the fact that when a 9.2 server is
looking up missing name server addresses, it sends queries of type A,
AAAA, *and* A6. Since the use of A6 has been effectively deprecated
and almost no one actually publishes A6 records, sending these A6
queries will in practice amount to a waste of some small amount of CPU
and bandwidth. It's an issue, but IMO a minor one.
Saying that this is a "limitation for IPv6 users" is misleading - if
these A6 glue lookups are indeed an issue, they are just as much an
issue for IPv4 users as they are for IPv6 users, since they happen
regardless of the query type and transport.
As far as I know, there are no actual "limitations for IPv6 users" in
BIND 9.2. Lookups of IPv6 addresses, reverse lookups of IPv6
addresses, and lookups over IPv6 transport all work just fine.
Andreas Gustafsson, firstname.lastname@example.org