While I am not at liberty at this time to release the documentation in my hands as the invidual who wrote it would like to try and get a patch available before releasing his advisory. Put simply, he has 'discovered', documented, and made available his methods, a method to forge DNS information in a way that would/could cause the errors you are seeing in the root name servers. The following is an excerpt that I don't think he'll get pissed about if I release: Because of the severity of the problem at hand, no source code will be made available. However, I have setup a service that you can use to test your dns servers to see if they are vulnerable. I have setup certain domain names off the sventech.com domain which when queried will send additional information in the packet to attempt to get bind to cache. Here is a list of the domain names and the information they try to cache: begin.dns.sventech.com Will load a domain name of this.is.a.test.domain with an A record of 1.2.3.4 and a MX record of mail.test.domain with a priority of 10 for test.domain. It will also give it a NS record that points to ns.test.domain which has an IP address of 4.3.2.1 add.dns.sventech.com This will add an A record of 3.1.33.7 to this.is.a.test.domain mx.dns.sventech.com This will add an MX record of mail.competitor.domain to test.domain with a priority of 5 On Thu, 13 Feb 1997, Matthew Kaufman wrote:

for the past few hours, we've been seeing certain root servers intermittently claiming that certain names don't exist, and then changing their mind a few minutes later.

anyone else seeing this? did i miss an announcement of problems?

-matthew kaufman matthew@scruz.net

[-] Brett L. Hawn (blh @ nol dot net) [-] [-] Networks On-Line - Houston, Texas [-] [-] 713-467-7100 [-]