[dns-operations] [ratelimits] bind force qtype=ANY to TCP
Jared Mauch
jared at puck.nether.net
Thu May 16 00:40:19 UTC 2013
I fixed the patch by moving where it does this check to before query_find as opposed to inside it.
Thanks for the insight and input.
- Jared
On May 15, 2013, at 8:03 PM, Vernon Schryver <vjs at rhyolite.com> wrote:
> I think the patch has a false negative rate of approximately 100%.
> To check whether I am wrong again, I set up a test server and tried
> two `dig +ignore isc.org any` commands. The first got a TC=1 error
> response as expected. The second command got 3500 bytes of RRs via
> UDP. I expect (but haven't tested) that all subsequent queries get
> normal responses until all of the TTLs expire.
>
>
> So I recommend that those who want to answer all UDP ANY responses
> with TC=1 and don't like my real recommendation of "Don't Do That!"
> use one of the fancy iptables or other firewall rules for doing that.
> Or am I wrong again and no one has offered such rules?--if so, use
> one of the rules that simply block ANY (which I also don't like).
More information about the dns-operations
mailing list