[dns-operations] Recently closed open resolver and reflection attacks
Mark Andrews
marka at isc.org
Fri Mar 8 00:28:40 UTC 2013
In message <F9C141D2-6A4F-4CE2-A033-D32E7126F6AF at dnss.ec>, Roy Arends writes:
> [1] BIND responds with SERVFAIL to a query where the QNAME is longer than 255 bytes. When all the servers for a domain are BIND, th
> is often leads to a burst of requests, striped over all the authoritative servers for that domain. Naturally, a resolver should not
> emit a query with a QNAME longer than 255 bytes, however, we do not choose the resolvers we respond to, and thus simply deal with
> these bursts. A FORMERR would (imho) be the appropriate response.
Already fixed in the last beta. Upgrade when you feel it is appropriate.
3458. [bug] Return FORMERR when presented with a overly long
domain named in a request. [RT #29682]
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list