[dns-operations] Recently closed open resolver and reflection attacks
ed.lewis at neustar.biz
Thu Mar 7 15:06:41 UTC 2013
On Mar 6, 2013, at 20:33, Paul Vixie wrote:
> if the authority server in question is configured to be a primary or secondary server for a zone which is at or above the qname, then the correct answer is either authoritative-positive, authoritative-negative, or servfail.
Or a non-authoritative referral but then again there's also FROMERR and come to think of it other results involving CNAME, DNAME and even a wildcard match.
I have over time tried to come up with a state machine description of what DNS returns but never could complete the task. The protocol is too hap-hazzard in architecture to be nicely reverse engineered. Sigh.
> if said authoritity server is not configured to be a primary or secondary for any zone at or above the qname, then the proper response is refused. (not an upward delegation as a i once had it in bind8 -- my apologies to all.)
We chose SERVFAIL instead of REFUSED for that - in the sense that the service failed by sending the querier to the wrong place. I don't think either is better than the other, just saying this because it's not always clear what's the right RCODE.
NeuStar You can leave a voice message at +1-571-434-5468
There are no answers - just tradeoffs, decisions, and responses.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations