[dns-operations] RRL exposed: resolver issues with AAAA-only NS?

Phil Pennock dnsop+phil at spodhuis.org
Thu Jan 10 21:53:47 UTC 2013


Anyone know of any resolvers that suffer horribly and die when presented
with an NS host which is AAAA-only?

Since turning on RRL, I'm seeing a few different netblocks hit
rate-limits for "nlns6.globnix.net IN A".  Frankly, I'm happy to limit
my responses to buggy clients which chew my bandwidth (another win for
RRL), but am wondering if anyone knows if there's some particular
software at fault?  I doubt that a small NOERROR response is a
deliberate amplification attack, so bug seems more likely.

Thanks,
-Phil

(nlns.globnix.net has nlns4 and nlns6, and all three are available as NS
glue, and this is deliberate; most of my zones are now using
dual-stacked hostnames, but years ago when I set this approach up, I was
concerned by buggy IPv4-only hosts which would barf if all resolvers
were dual-stacked.  I'm keeping these around, in part for a friend who
has an experiment with an IPv6-only-NS domain.)



More information about the dns-operations mailing list