Comment 3 for bug 1471159

Revision history for this message
Kiall Mac Innes (kiall) wrote :

@Florian Weimer: With regard to #3, this is an interesting variation on DNS cache poisoning. Properly configured recursive revolvers will ignore the out-of-bailiwick additional section. As this is a well-known and widely mitigated attack against DNS, I believe this should be moved to Public Security, with documentation provided recommended configurations for DNS servers to prevent the out-of-zone data from being returned.

I'm attaching a screenshot of the new documentation section I'll be proposing for this. This section will be further updated to address your A and B points above.