[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

bert hubert bert.hubert at netherlabs.nl
Fri Jun 24 11:53:52 UTC 2011

On Fri, Jun 24, 2011 at 12:11:56PM +0100, Tony Finch wrote:
> > Unless I am missing something here, it should be safe to return a
> > REFUSED for them (I was told that Postfix is using them for some obscure
> > reason, so maybe I am talking rubbish here).
> Qmail (not Postfix) uses ANY queries to canonicalize the envelope domains
> in outgoing SMTP transactions.  This is a bug: it should use MX queries
> for this purpose.  It causes amusing interactions with qmail's buggy 512
> byte DNS packet buffer and signed zones.

The PowerDNS Recursor uses ANY queries to authoritative servers to gather A
and AAAA addresses in a single query. This is off by default and only used
of querying over IPv6 is enabled.


More information about the dns-operations mailing list