[dns-operations] DNS ANY requests / UltraDNS
Mark Andrews
marka at isc.org
Thu Jan 10 07:28:25 UTC 2013
In message <87hampzf4z.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> * Mark Andrews:
>
> > Instead of just causing everyone to hack their code to force TCP
> > just return NOERROR, TC=1 and legitimate client will fallback to TCP
> > without all the other side effects of this ill considered change.
>
> This will still break things because prior to the change, large
> authoritative ANY responses are truncated without setting TC=1. After
> the change, large ANY responses enter the cache and trigger TC=1
> responses to stub resolvers (recursors do not silently truncate ANY
> responses, it seems), which may not be prepared to accept such large
> responses (or even fall back to TCP).
Such stubs are already broken. TC=1 has always been a expected result.
> Some breakage is unavoidable. Considering that ANY queries rarely
> give the results expected by the sender, refusing them outright makes
> sense to me.
So now recursive servers need to try all the authoritative servers
trying to get a find non broken server. Then they will return SERVFAIL
to the clients which you the hope will do something sensible with the
SERVFAIL response.
This is a DoS attack on the recursive resolvers. STOP IT.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list