> My other guess was that: it's quite easy to kill off a named daemon with > a udp packet with an invalid length field, from remote site. not as of 4.9, at least as far as i know. and if all your servers are running 4.9 or later code, then the A RR's are safe so the extra query in gethostby*() isn't strictly needed. normal, old-style spoofing (having the bad guy's host's PTR point to one of the good guys' hostnames) was fixed at the application level in BSD and in the resolver for sunos. named itself doesn't get involved with that.