[dns-operations] Recently closed open resolver and reflection attacks

Edward Lewis ed.lewis at neustar.biz
Thu Mar 7 15:06:41 UTC 2013

On Mar 6, 2013, at 20:33, Paul Vixie wrote:
> if the authority server in question is configured to be a primary or secondary server for a zone which is at or above the qname, then the correct answer is either authoritative-positive, authoritative-negative, or servfail.

Or a non-authoritative referral but then again there's also FROMERR and come to think of it other results involving CNAME, DNAME and even a wildcard match.

I have over time tried to come up with a state machine description of what DNS returns but never could complete the task.  The protocol is too hap-hazzard in architecture to be nicely reverse engineered.  Sigh.

> if said authoritity server is not configured to be a primary or secondary for any zone at or above the qname, then the proper response is refused. (not an upward delegation as a i once had it in bind8 -- my apologies to all.)

We chose SERVFAIL instead of REFUSED for that - in the sense that the service failed by sending the querier to the wrong place.  I don't think either is better than the other, just saying this because it's not always clear what's the right RCODE.

Edward Lewis             
NeuStar                    You can leave a voice message at +1-571-434-5468

There are no answers - just tradeoffs, decisions, and responses.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130307/1c5eeedf/attachment.html>

More information about the dns-operations mailing list