1. DNS/毒盛/Guide/cache_overwriting
Sooel Son and Vitaly Shmatikov
5 Cache Overwriting
Define symbol |
Trust level |
Description |
trust ultimate |
8 |
This server is authoritative |
trust secure |
7 |
Successfully DNSSEC validated |
trust authanswer |
6 |
Answer from an authoritative server |
trust authauthority |
5 |
Received in the auth section as an authority response |
trust answer |
4 |
Answer from a non-authoritative server |
trust glue |
3 |
Received in a referral response |
trust additional |
2 |
Received in the add section of a response |
Table 2. Trust levels in BIND 9.4.1.
In BIND, a cached RRset is overwritten if the trust level of
the received RRset is higher or equal to the cached one and its TTL is longer.
NS-type RRsets received in a referral are an exception:
they have the trust level 8 for the purposes of overwriting
(i.e., they always overwrite the records already present in the cache), but are stored with the trust level 3.かなり危ないことが分かる。 <level 8 扱いで、常にキャッシュを上書きする。>
In Unbound, the absolute trust levels are different, but the relative order is the same. Therefore, we use the same trust-level model for BIND and Unbound.
MaraDNS does not use trust levels.