[dns-operations] Recently closed open resolver and reflection attacks
Roy Arends
roy at dnss.ec
Fri Mar 8 01:15:23 UTC 2013
Thanks Mark, much appreciated!
Roy
On Mar 7, 2013, at 4:28 PM, Mark Andrews <marka at isc.org> wrote:
>
> In message <F9C141D2-6A4F-4CE2-A033-D32E7126F6AF at dnss.ec>, Roy Arends writes:
>> [1] BIND responds with SERVFAIL to a query where the QNAME is longer than 255 bytes. When all the servers for a domain are BIND, th
>> is often leads to a burst of requests, striped over all the authoritative servers for that domain. Naturally, a resolver should not
>> emit a query with a QNAME longer than 255 bytes, however, we do not choose the resolvers we respond to, and thus simply deal with
>> these bursts. A FORMERR would (imho) be the appropriate response.
>
> Already fixed in the last beta. Upgrade when you feel it is appropriate.
>
> 3458. [bug] Return FORMERR when presented with a overly long
> domain named in a request. [RT #29682]
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list