[dns-operations] DNS ANY requests / UltraDNS

Mark Andrews marka at isc.org
Thu Jan 10 07:28:25 UTC 2013

In message <87hampzf4z.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> * Mark Andrews:
> > Instead of just causing everyone to hack their code to force TCP
> > just return NOERROR, TC=1 and legitimate client will fallback to TCP
> > without all the other side effects of this ill considered change.
> This will still break things because prior to the change, large
> authoritative ANY responses are truncated without setting TC=1.  After
> the change, large ANY responses enter the cache and trigger TC=1
> responses to stub resolvers (recursors do not silently truncate ANY
> responses, it seems), which may not be prepared to accept such large
> responses (or even fall back to TCP).

Such stubs are already broken.  TC=1 has always been a expected result.

> Some breakage is unavoidable.  Considering that ANY queries rarely
> give the results expected by the sender, refusing them outright makes
> sense to me.

So now recursive servers need to try all the authoritative servers
trying to get a find non broken server.  Then they will return SERVFAIL
to the clients which you the hope will do something sensible with the
SERVFAIL response.

This is a DoS attack on the recursive resolvers.  STOP IT.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list