[dns-operations] need someone else to look at these servers

Florian Weimer fw at deneb.enyo.de
Sat Oct 18 20:20:37 UTC 2014

* Mark Andrews:

> The servers (or the firewalls in front of them) are not RFC 103[45]
> compliant.  DNS is a query/response protocol.  If you don't get a
> response the server is broken.

Running a UDP service which responds to unrecognizable packets is
precisely what you should not do because it can result in never-ending
packet loops.

> If you can't parse the packet,
> you *construct* a response which is just the DNS header with the
> rcode set to FORMERR, the id set to that of the query and qr set
> to 1, aa set to 0, aa set to 0, ad set to 0, rd copied, ra set as
> appropriate (not that it really matters), cd copied if you support
> DNSSEC otherwise set to 0, z set to 0.  This isn't rocket science.
> It is not hard to do this.

Reflecting the packet in this way may have been compliant in the RFC
1034/1035 days, but it is explicitly outlawed by RFC 6891 section 7
(you cannot strip the OPT record as required if you cannot parse the
packet).  I pointed out prior to publication that EDNS0bis explicitly
imposed a requirement on implementations which do not implement this
specification, but this comment was sadly ignored.

More information about the dns-operations mailing list