[dns-operations] Recently closed open resolver and reflection attacks

Mark Andrews marka at isc.org
Fri Mar 8 00:28:40 UTC 2013


In message <F9C141D2-6A4F-4CE2-A033-D32E7126F6AF at dnss.ec>, Roy Arends writes:
> [1] BIND responds with SERVFAIL to a query where the QNAME is longer than 255 bytes. When all the servers for a domain are BIND, th
> is often leads to a burst of requests, striped over all the authoritative servers for that domain. Naturally, a resolver should not
>  emit a query with a QNAME longer than 255 bytes, however, we do not choose the resolvers we respond to, and thus simply deal with 
> these bursts. A FORMERR would (imho) be the appropriate response. 

Already fixed in the last beta.  Upgrade when you feel it is appropriate.

3458.   [bug]           Return FORMERR when presented with a overly long
                        domain named in a request. [RT #29682]

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list