[dns-operations] Recently closed open resolver and reflection attacks
Paul Vixie
paul at redbarn.org
Thu Mar 7 01:33:49 UTC 2013
...
WBrown at e1b.org wrote:
> I mistakenly wrote on 03/06/2013 11:36:20 AM:
>
>> Given that no properly configured server should be querying this
> recursive
>> name server for isc.org,
>
> I meant to describe it as an authoritative server. Duh. I'm having one of
> those days....
>
> Sorry for the confusion.
>
> So to rephrase the question...
>
> Is there any reason why recursive queries to an authoritative server that
> would normally get a REFUSED reply shouldn't be dropped instead of getting
> an answer?
>
> Maybe now that I've had lunch the brain will work better.
if the authority server in question is configured to be a primary or
secondary server for a zone which is at or above the qname, then the
correct answer is either authoritative-positive, authoritative-negative,
or servfail. servfail is if the zone data source is unavailable, such as
a missing primary zone file or an expired secondary zone cache file.
if said authoritity server is not configured to be a primary or
secondary for any zone at or above the qname, then the proper response
is refused. (not an upward delegation as a i once had it in bind8 -- my
apologies to all.)
the reason for these differences is to help in diagnostics.
recursive servers should behave reasonably, which at a minimum means,
not repeating the same query immediately. this can be done with a
hold-down timer or a negative cache, at the whim of the implementor.
since many recursive servers and many spoofed-source ddos attackers
repeat the query immediately, i'm in agreement that RRL should have a
threshold for "refused".
paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130306/1ddd43d3/attachment.html>
More information about the dns-operations
mailing list