httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Richards <>
Subject Re: security holes and other fun stuff
Date Tue, 16 Jul 1996 00:42:11 GMT
In reply to Dean Gaudet who said
> In article <>,
> Paul Richards  <> wrote:
> Any DNS server that caches an entry for longer than that time is
> fundamentally broken.  Take a look at the API though: gethostbyname and
> gethostbyaddr DO NOT RETURN THE TIMEOUT.  Hence it is impossible as an
> application "doing the right thing" by using the API to actually do
> the right thing.  Netscape is actually closer to being able to do the
> right thing by writing their own API.

Not true. 

> Netscape is broken.  Apache (configured with DNS) is broken.  INN is
> broken (the FAQ mentions this and gives a "fix").  Hell telnet, rlogin,
> any news reader, they're all broken because they don't continually 
> look up the names they're using.

This isn't how DNS works at all. An application only has to do a DNS lookup
once, to map the domain name to an ip address. Once it's opened a connection
then there's no need to check that the DNS map has changed. 

If you change an ip address on a box then all existing connections will
drop anyway and at the next DNS lookup the new address will appear, there's
absolutely no need for any API to pass back timeout values, they're
not relevant to applications.

> A month after renumbering I saw 4 requests per day to the old
> address.  A month after renumbering I saw 3 requests per day.
> I have two week zone timeouts, with 1 day updates, and 1/2 day ttls.
> In two days all my secondaries should have updated (they had).  In three
> days everyone should have been going to the new address.

Either they are using ip addresses directly (i.e. no DNS involved)
or there's some very broken code out there. I'm not going to worry
very much about someone else's broken code.

It just can't happen with working code.

> Theory and practice don't meet.  I studied mathematics, I'm totally
> into theory.  I'm just giving you a practical view from someone who
> has actually gone through the effort of renumbering a bunch of servers.
> Maybe Cliff can add something here -- he's gone through this as well.

I've been through this a number of times also. I've not experienced what
you seem to have.

> Regardless of this fact of life, my point is still valid.  You always have
> to run with two config entries long enough to let the old record time out.
> Brian was claiming that there was some magic method of running with one
> that required little co-ordination.
> The length of that time is what's at issue here.  There's like 0 chance
> you'll convince J. Random Admin to play with the magic values in their
> zone's SOA.  The number of people that understand that the 2nd through
> 4th values refer to the zone as a whole and not the individual records
> is pretty small.  I know how to play with the values to attempt to renumber

If the admin doesn't have a full understanding of DNS then the whole issue
is irrelevant.

  Paul Richards, Originative Solutions Ltd.
  Phone: 0370 462071 (Mobile), +44 1225 447500 (work)

View raw message