[dns-operations] DNS ANY requests / UltraDNS
Florian Weimer
fw at deneb.enyo.de
Sun Jan 13 10:17:15 UTC 2013
* Mark Andrews:
> So now recursive servers need to try all the authoritative servers
> trying to get a find non broken server. Then they will return SERVFAIL
> to the clients which you the hope will do something sensible with the
> SERVFAIL response.
>
> This is a DoS attack on the recursive resolvers. STOP IT.
If BIND has a denial-of-service vulnerability, you need to fix it in
your code. Anyone can serve a zone that triggers the vulnerability,
so begging authoritative server operators to play along nicely does
not solve the problem.
More information about the dns-operations
mailing list