[dns-operations] [ratelimits] bind force qtype=ANY to TCP

Jared Mauch jared at puck.nether.net
Thu May 16 00:40:19 UTC 2013


I fixed the patch by moving where it does this check to before query_find as opposed to inside it.

Thanks for the insight and input.

- Jared

On May 15, 2013, at 8:03 PM, Vernon Schryver <vjs at rhyolite.com> wrote:

> I think the patch has a false negative rate of approximately 100%.
> To check whether I am wrong again, I set up a test server and tried
> two `dig +ignore isc.org any` commands.  The first got a TC=1 error
> response as expected.  The second command got 3500 bytes of RRs via
> UDP.  I expect (but haven't tested) that all subsequent queries get
> normal responses until all of the TTLs expire.
> 
> 
> So I recommend that those who want to answer all UDP ANY responses
> with TC=1 and don't like my real recommendation of "Don't Do That!"
> use one of the fancy iptables or other firewall rules for doing that.
> Or am I wrong again and no one has offered such rules?--if so, use
> one of the rules that simply block ANY (which I also don't like).




More information about the dns-operations mailing list