[dns-operations] need someone else to look at these servers
Florian Weimer
fw at deneb.enyo.de
Sat Oct 18 20:20:37 UTC 2014
* Mark Andrews:
> The servers (or the firewalls in front of them) are not RFC 103[45]
> compliant. DNS is a query/response protocol. If you don't get a
> response the server is broken.
Running a UDP service which responds to unrecognizable packets is
precisely what you should not do because it can result in never-ending
packet loops.
> If you can't parse the packet,
> you *construct* a response which is just the DNS header with the
> rcode set to FORMERR, the id set to that of the query and qr set
> to 1, aa set to 0, aa set to 0, ad set to 0, rd copied, ra set as
> appropriate (not that it really matters), cd copied if you support
> DNSSEC otherwise set to 0, z set to 0. This isn't rocket science.
> It is not hard to do this.
Reflecting the packet in this way may have been compliant in the RFC
1034/1035 days, but it is explicitly outlawed by RFC 6891 section 7
(you cannot strip the OPT record as required if you cannot parse the
packet). I pointed out prior to publication that EDNS0bis explicitly
imposed a requirement on implementations which do not implement this
specification, but this comment was sadly ignored.
More information about the dns-operations
mailing list