[dns-operations] Recently closed open resolver and reflection attacks

Roy Arends roy at dnss.ec
Fri Mar 8 01:15:23 UTC 2013

Thanks Mark, much appreciated!


On Mar 7, 2013, at 4:28 PM, Mark Andrews <marka at isc.org> wrote:

> In message <F9C141D2-6A4F-4CE2-A033-D32E7126F6AF at dnss.ec>, Roy Arends writes:
>> [1] BIND responds with SERVFAIL to a query where the QNAME is longer than 255 bytes. When all the servers for a domain are BIND, th
>> is often leads to a burst of requests, striped over all the authoritative servers for that domain. Naturally, a resolver should not
>> emit a query with a QNAME longer than 255 bytes, however, we do not choose the resolvers we respond to, and thus simply deal with 
>> these bursts. A FORMERR would (imho) be the appropriate response. 
> Already fixed in the last beta.  Upgrade when you feel it is appropriate.
> 3458.   [bug]           Return FORMERR when presented with a overly long
>                        domain named in a request. [RT #29682]
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list